23542300x800000000000000084662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:37.599{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825264531ADF3F97E002805F27E10C19,SHA256=CEBDE74F5CAAEC0181FAC50CA8A7334C3E3BD568E9466934B33B412EE02A744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:37.037{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0392DA4BD8194BE4922157F1AC6AAED2,SHA256=CA896EA48CF8C3FC070CC83353C4D4613712483E8EF5A85E22079360614CBF64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:34.660{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51605-false10.0.1.12-8000- 23542300x800000000000000084663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:38.693{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62870037A775AE9DF0552E3898233F,SHA256=491300AFDA429792CAE30A88CA7FA0D081B0A4DD42BBAF4C3DFB140A0C62A163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:38.130{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B18DB348AD54459E0A6502CBCEE47,SHA256=1936DCB533A52ED56A624005DD0F74652AF0F39151333F97B33118ED9B7D14A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:39.943{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=178BD93BA824959F2442BC7DE30AC3FA,SHA256=5EFF056003DC3EB000EEECA8F4C5E9845950167AF08BE5D701F6822654968F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:39.786{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C078EC5827203FFC63E310F15FED5,SHA256=5EB5FAA6D38111A40161A7894197D764D49165823BE6D77E239C303A31A5ED3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:37.785{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:39.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C556EA052DB4FF6FED7D88B47C6716CD,SHA256=373B98C1932C592F7132EF50BF2DE26FAD7598A49F66728A293E864EF0FC4422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:39.115{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6EE838195D2D1849D53718D493474C86,SHA256=8FEE58AFD01E013FA3536EB9F52DEBE049E186CCE85AB1B3E5124245FFAA40E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:40.880{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F888D0F186DDCAFAC8B364958BA9E1EE,SHA256=57F0B23B2E52FEF4B7173761CB0043600F45AE7EA8C2465212724A1ED3107F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-43D6-623C-FF03-000000004202}3712C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4362-623C-F003-000000004202}4208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4350-623C-EE03-000000004202}2816C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2A2F-623C-ED00-000000004202}2436C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28F5-623C-AE00-000000004202}5884C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28AE-623C-9E00-000000004202}5732C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8E00-000000004202}4668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289F-623C-8800-000000004202}4188C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289E-623C-8600-000000004202}3292C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-288D-623C-8200-000000004202}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4F00-000000004202}3752C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4A00-000000004202}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-4300-000000004202}3448C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-3C00-000000004202}3284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3800-000000004202}2256C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3700-000000004202}2600C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3300-000000004202}2336C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2F00-000000004202}3064C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2C00-000000004202}2972C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2876-623C-2A00-000000004202}2808C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2900-000000004202}2732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2800-000000004202}2724C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286E-623C-2100-000000004202}2144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1700-000000004202}1400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1300-000000004202}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1000-000000004202}428C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0E00-000000004202}980C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286C-623C-0C00-000000004202}824C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286A-623C-0900-000000004202}560C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E57-623C-6605-000000004202}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.755{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.740{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.740{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.735{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr doublezeroC:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000117050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.732{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exetasklist C:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000117042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351CC7211BB25CA987E4C288DA5D595F,SHA256=CCC861228D12678D4A2D1B917A00A086B5E1729FB44B3CC1EFEC67AA086D2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:41.978{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72766B0E17AAA75610DBBDB6EA611C41,SHA256=C5FDB85EF6763789823C0A3168738BE3BB4FF478A5D17088B8E3E4BEA9385BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.802{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6004C071518401D59B5302D8EB33A393,SHA256=6D387E1013F19FA2CF590F1C08883ABEF913195EF3C582C18E041848C17819EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.630{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.521{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B06529DE72772A4A210ABB67376204,SHA256=0019ABD3EEBF6CCF8DE9EFE4A1A0518A33AB11BF2C7A0663A43E9BF2EFC962F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DAEAD3868CD1D3F1ABF3D4409FBBAD,SHA256=E6D33F4E74D0F8934960A6EB202DDF3BB82584845E7F04CB993C20DE0787A9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:41.871{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-157MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.379{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000117535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.869{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-43D6-623C-FF03-000000004202}3712C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4362-623C-F003-000000004202}4208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4350-623C-EE03-000000004202}2816C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2A2F-623C-ED00-000000004202}2436C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28F5-623C-AE00-000000004202}5884C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28AE-623C-9E00-000000004202}5732C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8E00-000000004202}4668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289F-623C-8800-000000004202}4188C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289E-623C-8600-000000004202}3292C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-288D-623C-8200-000000004202}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4F00-000000004202}3752C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4A00-000000004202}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-4300-000000004202}3448C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-3C00-000000004202}3284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3800-000000004202}2256C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3700-000000004202}2600C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3300-000000004202}2336C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2F00-000000004202}3064C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2C00-000000004202}2972C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2876-623C-2A00-000000004202}2808C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2900-000000004202}2732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2800-000000004202}2724C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286E-623C-2100-000000004202}2144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1700-000000004202}1400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1300-000000004202}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1000-000000004202}428C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0E00-000000004202}980C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286C-623C-0C00-000000004202}824C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286A-623C-0900-000000004202}560C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.802{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E57-623C-6605-000000004202}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.802{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.780{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr doublezero.exeC:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000117298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.779{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exetasklist C:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000117291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.615{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127D82F38D38E63DB701D58B89415E5F,SHA256=F2C9311F7241F815D044590F35E67826C9B6717892AD1D681D475E0A5AA31658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:40.600{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51606-false10.0.1.12-8000- 23542300x800000000000000084673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:43.072{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BC9A01D0133CF09004A40C6412B1E1,SHA256=78854DD5F3920938DC88B9D4C1B7350B706FD554C639CF3BE9DA6598DC68E451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.037{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672D4FD1138B4E07772DD5E44722A24,SHA256=C2358DA3072911F5AB0A49D2F3900441C9CBF79DD56CF9430678F52528968FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1147377BEC0D36BA2E70FF2BFDFA646,SHA256=51C09F0D83A6AEFEB514CA1234BD305FA1CF58FB2F0178544B562EBA750124C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:44.167{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C8E72EEF224ED18044EA214D46E8DD,SHA256=F7C5C687AB1495F6B2BEA484B9D35856BDB04659965F9325397D7E72300F52DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:44.177{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC01DE89B1D0F93D5963F369809BB75,SHA256=36D91318A746873EC77F230ACE79B7B5287002D0BB5A8ADC881E098A3D320ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:45.261{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F12B292659C5FFCDC12D023C870F9F,SHA256=BE192A00C538ECE6A8FA62BF1A9F28CEF99089943DC0E13F18A63B7B3F6C6820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:45.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA90B1DF3534DDCA199947660A648DC2,SHA256=28487393654A75BC697F231B97B533572A90C04DD6A2FAF516FDB979462D8A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:46.354{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26E0C2A04982DBC71FC4B09EDD6E0D,SHA256=80A2E2F7F93BF92C963B2A581942AD1F1C98300320E5327A7A67459316DB3DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:46.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80699CA0C62E541349FB245889B22E92,SHA256=34ED07719E63489F38EF02B9AB11E0DD04806DEB73D0017567B6530401FC3BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.832{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:47.448{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7F3382D0DAFD642266F0C4B87D96C9,SHA256=28C97E26E8EEB9921C3556E35BF1B2DA3433FAE265AFF39A08F5A91FDED3EE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:47.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209794C9CF56254BAF7F60319D955E92,SHA256=091097B512E1CC1058F5936BFCC68C53F7F50C267BCF5DC90872CCB908AB92DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:45.605{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51607-false10.0.1.12-8000- 23542300x800000000000000084679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:48.542{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682B2C11EDEBCE89620580AA4AF40120,SHA256=DE8BFCADAECEBD79C0A8F7D69B2874E16AD6F932D6A04DF2D5505D8573E72A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.833{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.833{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0050F1AB3078946470330EDF800807A,SHA256=0E54C257C865793721312999DBE60A6CA9F1F4A8BE96820E263D509B2B977FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:49.636{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E533297A995F40F63C608581B48CFF7,SHA256=8713DC098A63B8AC04C737FBA4F20B153E3A971B63F6413C08945E5BEEDF37A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:49.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450AD666E26928601B499FF37C563248,SHA256=FCD1F05DAD8A29F5D81D42DBBCC93B106A061F0477CAAF543FBF00F7AACC29FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:50.729{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6ABFC3520A6DB82A6CA0C3E9411F57E,SHA256=1F09D668F70C9D8C5A464575A2408E000DA7C24C46A7BFEBD3AB68F77B8C0C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:50.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF9F0A2C3E6D740668AEEB6B42A307C,SHA256=059321CD92394E52F74FB669EF169D6DD8B8C81D5AB1168A617CB9A0745028C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:51.823{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B24FDEF21C8975BA775172AC9C1970,SHA256=8AAA6BAD772D2962F7C9DB6AF8C43A003A7EC2291DFA718AD947B31F01363D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:51.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4030D88003C9FCAB4066A9F06FE4F8A0,SHA256=B3252F2320C04FC27419AB82DF485C1B4F90C6523F7EA0320B027F147A216009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:49.863{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000084710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.948{9531C931-4E74-623C-FE04-000000004302}4163996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:52.990{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E528C8A05B95BE9355AA10B403306,SHA256=B84C0829749A8B6E2CF47E43988F0E837ADD572073806CDCF61B762A6E0B8B4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.730{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.230{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:50.793{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51608-false10.0.1.12-8000- 23542300x800000000000000084712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5008CABB485C5EF773E058466BB6620,SHA256=3FE4F0D85D8F37CE16026B2229F8B07781442C9BF12882D01550ED2480CD2A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC1D5D967E76A7F1200BCB9A064FDB6,SHA256=3C286D05F9F30EECA5FE83255BE0E8410CB8D283BD3F9B864E40D735B77430DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.224{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.224{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.178{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000117563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.162{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-03-23 15:36:07.099 23542300x8000000000000000117562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.162{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=177F371888C035014245590A7544F0B8,SHA256=7F6B1398A194BA325EE5C324B1BF6466F58BBA08A7F80EEA25F83678F6D6E965,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000117561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.146{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\gclass5_frmt.txt.lnk2022-03-24 10:56:53.146 10341000x8000000000000000117560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.099{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.099{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-28A1-623C-9400-000000004202}50242132C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.073{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Temp\gclass5_frmt.txtC:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.856{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-157MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.445{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FEE9649BE53D4B9EB91152AA37F5D05,SHA256=348472A409C42B48090B79A913BFD777F71B597795469F27B3A91B37D30F00AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.146{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BB193071818E53752319E78A5F740278,SHA256=E7991311BE3955CC1AD23894D502A53C2BB9D85D9F00D7F27714676EC8C4AC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.083{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08697BE189BD3139FFA71943FDB2720,SHA256=694821227FFC9BB6A5663319E018597E27E66942FB9608805F4096BA240F49BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.996{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.026{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DE508C5B1D4D98791E28DB72C14AD5,SHA256=8DA66A6CAC06A5F2886EF0B9717C125B31FD39FBA0556249A749F11B1A0289D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.868{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.179{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D946F603BDCCA2C75EF36EE4FB19660A,SHA256=2AFDC409433BE7EB973F20D559EB99BB130380EEE677A0A7CC27D0E90E1E0572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:55.511{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C931287B19EC8CA8625BBC118BF825A1,SHA256=8600C67A0E1323B58B1076FEC14E8812D3D7B941EB5A52B77C52B96958BB2C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:55.120{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE183A2DFE1A85CD71FF5DAD1EB1A63,SHA256=5FC9151CBA17F653F7A6E600C43B0109C709E14590DB6990A6FA648F4D84370C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000117587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:56.276{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9838133AB0BCD44B264155298A7B222,SHA256=3AD8A02B367E20F5F3B45790703F4714FF5F8C29C906C033FB8689798CF6A501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.853{9531C931-4E78-623C-0105-000000004302}250496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.636{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.419{9531C931-4E78-623C-0005-000000004302}14204088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.213{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40092C6C8A1B4117E28FBA445801372,SHA256=6750AB92FA60EB9DC9F19965CE71053259127ECF4ABC64EF5586F70FF18D9001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.432{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2481C79C51E135D7B6224E5DD923EE2,SHA256=713498830FF64EBB146CB409262DDF163EDBD42284020B2C0D193B3F61EAF052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.322{9531C931-4E79-623C-0205-000000004302}2564948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.837{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:57.373{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54AC3CDBF7F0B747FB56CE14D3B4D2C,SHA256=57280687EE3DAF8FAB18E5C0BCE04033F31E6F11EB2A464B58D51139BFFA5580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.136{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.792{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51609-false10.0.1.12-8000- 23542300x800000000000000084774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:58.431{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF976731773C9D339537C0E3191B5E9C,SHA256=EFE23CEE3C3AC83D0DF312C86B27AF368819A07F896F2FB175FE18AD7705EC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:58.466{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45421666910D0091A305CD459D8314D4,SHA256=C13D4AF00A58E797EF26E2DCA108B582DF9CFA5C2565087BE081A4C477936254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.557{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.525{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FF676AB70CCEBBD1E24BD4E6B0853F,SHA256=727152426BEC2FB7A52EDF4323AD8866856D68FD57C6AEF19C4C5D8C1D87CC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:59.560{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A6403E746ECD33745483AB2C90B70F,SHA256=B00DB38C61D1DEE3FABE21D452CF15F6E49E547E9101EE77104D485310D799A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:00.760{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904E5423BA847A16E2E81E61953F8EB2,SHA256=04CB67991575840DAE40D4AB64AECD428D4F98E09B44A78BA2A8E0BC58F2F613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:00.619{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC240FC1C28282C5E340E2E8E60BD8FA,SHA256=078F6BB29F36B1BBD0E0B1DEB140B1B651DCD0D579653E1528BEF8A9DFC5FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:00.654{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA76054E6FCF625C59C55114CDBC923,SHA256=10E7B45541E7F4530CB6C9102D7525F4CB5BDE20BA518EE2C6C6D09D9229C084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:01.713{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E3A4706F408E36B19BA21226253072,SHA256=4C61441E3C210912CE9DF5AFE33F8EBA17F4D1C752BA371118BB65660B59F5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.748{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6684BF034514B9A63A97C3C541BD0F2F,SHA256=93DC4EFA1D2D08B1F636451A63CBD8C5154C4173CDEC53E8B4CC641F096A2DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:02.806{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA1111EC42285835C8F8D4B66511EEF,SHA256=A1E91BF77FF467BBE4F38BDBE9CF1A318F0176121DACD0546282CF7C1D40553A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.936{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.873{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.841{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEE29F046AEF8F80D7F23D45F5FDBEC,SHA256=976D205D7324B6647E566378FE8BB3B66CD11548537AADAC9299DC95F4FFE405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.779{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.779{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.513{5F3DCEF0-4E7E-623C-6D05-000000004202}6152352C:\Windows\system32\conhost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.499{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:00.840{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000117607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54 154100x8000000000000000117598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.492{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000084795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:03.900{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F2F3E6A3D4A0B38AE00057365C7DDC,SHA256=D881A61C38F59DE0A0FF1730961DBD4855274B4C0796E1CAF76E32587DF13761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.935{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7B67F5E384E252336018B0BC378A9,SHA256=D92D73CF301FC543EC36B80B592F9426D21407AD83BE9BB4731B58651906D858,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000084794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 10:57:03.416{9531C931-286E-623C-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6d-0xe50bb8bf) 23542300x8000000000000000117646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.576{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A4818A86F3B636F8E3597975095778,SHA256=14C5ECDB1648BF4BE4A3B0B966EB0A0AF5DE0D63F084CB78D0DB33C336F9F030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.013{5F3DCEF0-4E7E-623C-6C05-000000004202}6280ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:04.994{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528D68ACE0E5DDDD210557E70D44C7D3,SHA256=7C687D09748B122FBB817635C82028F5DD1FF98700410427D679CD4650D7144B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000117667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.935{5F3DCEF0-4E7E-623C-6C05-000000004202}6280win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 10341000x8000000000000000117666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.717{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.696{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63208-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.696{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63208-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000117656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.248{5F3DCEF0-4E80-623C-6F05-000000004202}40001120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.046{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:01.807{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51610-false10.0.1.12-8000- 10341000x8000000000000000117674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.201{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FE35D7CBE85F8947343C5D5FE6792C4,SHA256=1C9B433EB911967278A43CFD7266F7624DD044AC30C6D81B5295E51B0B8C507A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000117669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:05.045{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 23542300x8000000000000000117668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.029{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22622B3CE4600E43E25B4D99FB00E08,SHA256=66CCDCC9EF3C54C9FC3CB37329696506E94EFD46BCACB38470958ECC17C21321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:06.088{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B3F634CFCF0BBE36B5ECABD13F028B,SHA256=AE768F39AE6C55E27CBE1CC7EE000A4A8CBF7391C9E691320098FFAD1117FB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:06.123{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5FE8466BCCE516FF9532103E038721,SHA256=4812E74341D1B81E2B1239AD52FCB5851EDA4AB40ACEF8D771753370C36C20CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.980{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000117687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.793{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63209-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.793{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63209-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000117685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.638{5F3DCEF0-4E83-623C-7105-000000004202}70245184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.453{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.217{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A111959677CD09892D942345CF6CD53,SHA256=162CDDC25EC0B8CE53A5B268F81DD8107B6DAF15C6547CBFBE9EFCB4FFC7FE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:07.181{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA2E88A2147F900DB8261C0F6C13D53,SHA256=1F8959CA9E8B6F76E0E18E19E8486BEB5562B0CAC362550971AC8BF010A79182,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.498{5F3DCEF0-4E84-623C-7205-000000004202}50323536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.327{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.310{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD77C108AF8DA87ACF481788A7EC9588,SHA256=CFEE6BBE113BB3863A3469B092430925D0857E97349D24BFDDBF6DBCFBAA17DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:08.275{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710AF2CFC86ED6FAF4A0C1355706583,SHA256=7550EBB5D72EFB474ADB9F785ED93F6C577E828F2F4823A13C36D50B83A8DC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.420{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F5B4122B1BC6E252D4D1E92970594,SHA256=C892BAC5B7FC78473D9572422441470B6AD03A153DEC979F6E79A0C860DC0D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:09.369{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E4B6487E7703AEAA67AE151DE46F5,SHA256=06434714C4B4FB596CD1A081A7DEBEF3EB7D5D64994596CA8B9A2F84F8E65C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.186{5F3DCEF0-4E84-623C-7305-000000004202}60163724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:10.529{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9DE5A6133CA5592CE651F3CD748F2E,SHA256=D7F2653D0FFB1B8AE4A0284E8BE956826165E10131E1824F1783E1488EC67432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:10.463{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89F8E0387D51986EF886197C1860D3,SHA256=137CC0BEDFEEDAC48E51684923147BF2FF9011C3688E18CE9395808B2A833F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:10.029{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1480C850B0CA5088AF1AF253824F8FB6,SHA256=842507A4DE57C45EAFD479B0E80BD75299E4C069A481A941757867B46B2D91B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:07.573{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51611-false10.0.1.12-8000- 10341000x8000000000000000117733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.654{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.625{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AE92A88CE248DCD3724BE71B50EA47,SHA256=486ADAEDA50BE5858F69E9D572D35DF0AA283593B65587F9E1288E615EC2550C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:11.556{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0F50F3D9B6C74E29A4B8FDA95B3423,SHA256=0166104BE69D4CFD548D60BA769C5BFD672B0AF0D81D832E540D238FED9F78B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:12.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805A0187E5388D7E5A5E6910BA7FBA2,SHA256=46B1042F131C2FB90205843324A1701F6B2F403A8E4265B935D03779D078E663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:12.650{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DDEAD01086ECCBE1832A254EC9EE29,SHA256=5D9371C410818E3458492F8AD2454555561001F26E5B3FFF36A8CD1DD67A7E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:13.811{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A92A3703C82F3C1DA5FC5F7E7393278,SHA256=209B2892DA0568C7D32529F7522B4AC6A88EDEFB56EDAC02D1D4074D2BBBE182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:13.744{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D314D7E0645B38B2DB3A70D23FA93AED,SHA256=55F7BAFD046503B08D0BC50DDFB5D9C3E2E3EC08F6BB7E7BB8D63C74F7A4CF53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.949{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:14.904{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D970204C8457E4D18DA3AC764C392B,SHA256=F012BBEBD3E99697A0D3F3AA06C48BEDE7D3511919AD05F7F9FCF3F102CECDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:14.838{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225188B4F8E221BFE6B554B0E76FE0B9,SHA256=772619139119ECE5AFF128451B7A42D96A2667BD55490E465E24CDA5AE19639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:15.931{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9076E1D3F91824814EEBD3874F1844,SHA256=8D59856327B63DBEC2E63E28CE8FFA7D92B6B71F3EF9B7BA0028EE7223AE46B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:12.682{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51612-false10.0.1.12-8000- 23542300x8000000000000000117738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:15.998{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B91105E33DCE25980688DE4102C8827,SHA256=98EE7D35C59D6172B37D72ED351A63D26C6F7D696EF5433997101A1153582255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:17.092{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676E68D03D35646E742D9F76D00FA608,SHA256=D9D3B8FBDB02D047DF015549CA48F4B3A024381EE339C1F5115214D775DFEF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:17.029{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5D8DF645E1447EC474E429D0502B76,SHA256=F368FE704712B4068771C9940E41D43F7A548AB9CDAE1503D280443AF0C6F19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:18.123{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306AE337F9267EFF93B7893C3FFBBD90,SHA256=4E968E74ED8006E7A623EE14A45ADB73E18FBB4940009A2042D395903E187AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:16.981{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:18.186{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84742A81E7A420A10FD3A006DEBACA03,SHA256=4E20A6F9EADE529FE4F4E755F15EB888B4803ED5108FE73A387D33659ED6CB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:19.280{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E77BDFBF12392E9182334F98D84D0,SHA256=0C893B3293EAC2CC05A32F480B7E0E4C94F75179A2176952BDCCD163FB0A4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:19.217{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F042C2A5B35B8E7F2105F6ED6182857,SHA256=8DA52A2B00ACAD777AE7E1D8DB281CBCFF2800A5ED4D0DDFF10B1ADDECC3CEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:20.545{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C8742E51BB80A41533007D593F3F9,SHA256=A2D80E928D52D5E8FA8419802C14DB7480AA0558F4081BA0E5186FC53E225170,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:18.657{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51613-false10.0.1.12-8000- 23542300x800000000000000084813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:20.326{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8FAB7ABE2C1F7EB787F7DD70386D90,SHA256=C5A2BF356521C92E5FE1F05466F4627B4F8A512B217E37589F659C26980CB633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:21.686{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D39F192788BF2D3A91032F08F5E0AD2,SHA256=6AAF733E570AA15BECD2B6B42B47045A2AC010D33BC7DF59603F3A13C6C90038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:21.420{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25920EB1C1D006B1F225AD4D30A4761,SHA256=46E57EC02F47B301D50570E8E0DEB7063BFD5AE3CDE2B0BF4135AA2D87FD25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:22.780{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06425B572045233DBF23DE17415E9372,SHA256=656C84F750787CC5D10401F51E9D7957EC694BF9FAF5C39184A0FE768F9B8843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:22.514{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D26363417F87F0B1CB63886102E7C84,SHA256=F819A8FAE5D0E4E174CF0883C9625C9A1772AE66B605B15654B425CB06C38723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:23.889{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7957BFC07F6D10DCEB9163C8472637CD,SHA256=F84B9EDB42E6A188BAAB98AFC239243626EE406EEAC2ED97FFEC92E1DE7F5443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:23.607{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A82CFEDA3BDC2A8D628E898C36C48A,SHA256=FF39B220348399AADE5354CCB3C46B9C7F1D36E7565DE7EB5FB428856333EB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:24.983{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC492B3F649DB7F802D6806A440385F2,SHA256=4AF7481035EF366D2BC9D098959E54D1ECBDD8932FE4800E69445CD265EFC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:24.701{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0D6A379913ED115AE4D155F026335,SHA256=45C2A2F79720CDCD22CE709339B640CED50403772542692A0C01E569D3B674B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:25.795{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95D259A13DABD3F28AEB89B24FB784C,SHA256=09AF4F5C4CFF9C1324D0EDCECAF22A3A8D94E05532B670F6409FE8C62196446C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:22.918{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:25.670{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D192966CF09BEB614FE2610453FD0F59,SHA256=EBADA65085A0DFA3E172AC7C217F6089BF01F910EE1A25407D77F8A08898B807,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:23.671{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51614-false10.0.1.12-8000- 23542300x800000000000000084822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:26.889{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD65854B51631EC4D379400BDF77054,SHA256=1115B75B0BF4FA6F14291B3B98D2B34AC081535799BDBD71C88788CF0E6E697B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:26.077{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF55F8FD8EBDB3FA9C09F5EC2A4EF35,SHA256=1E95AC3A445DF91780B0C65D83F6C7FF6F53C70E4A241CF58E16DB4DCC171B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:27.982{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A341881A5F9C2278493F936A8036A8,SHA256=22D77104E7F5F273BCB2D77A8BEE106208BC452A6B48558C4C167549BF281D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:27.170{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5210C3D6E628550685351FED0B35F6B,SHA256=35F45E5F29B8C12A05452CB6897F7F956BD2D7DB92BB8F951EEA198FDEA6914E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:28.264{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCC9B8B47ED513B872F533B87127256,SHA256=FDF87401DBBA282B1A3DFEC5F043E4AFEE81007A83C19698222C9988230C21C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:29.358{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C12AD3E5790A6212F54EDA0E2646E6,SHA256=1DD54D46C9049666B273DCF812E7147991F6C1AA4A80627D7F07470942A3285C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:29.076{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A1D50A07EC41C3174B7F17BAE13ED9,SHA256=DCA5C5BC09D208A9E86E3CECCE77A4FBAB92E572DF9933DA594BD7FD8D7FF6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:30.452{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25875B356893D56FE254C62F2BA5C2A1,SHA256=CD40C53EDF8610FDEF0AB5C8C1CAD360914514265ECC93E89319ADFA89F0AD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:30.170{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44395166ED1AC2E7DCFBB3243EFD3AC,SHA256=C50C2AAF1083146EACD882E390D45A9CDB76EE89FC664866D36D5E79771CC795,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:27.996{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:31.545{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3BDCFDDE46ED13819D0A5D9F6C7C73,SHA256=4FA68EF2EC095AD002B70F63F636225D16138AAEA4887208D0071924A6ED41F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:29.593{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51615-false10.0.1.12-8000- 23542300x800000000000000084827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:31.404{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:31.264{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885E8D919EEBA2AB01091BCFA208C66F,SHA256=647AFAE3FBBD395E8DA4AB440EDCCEFEC98121E382CDD51DA46878EB8FF183DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:32.639{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73999F3A1DB82DCFBCD9350BA2DB58F,SHA256=FCF4AC386EBEE30F8DF64BC066D30381668663D5EE042DBFB87FF60304967023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:32.357{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C252502B1B0E9CCBD75C59DD441544,SHA256=4F4D67DF99E3D54E92AE08DB0822EB0BAF7454FA350842C9AEB612AC12390D24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.795{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.733{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D593E04A8F9CB0DA2E8E6661DC9202FD,SHA256=31C815463AA1F77B4D9FAA7D30BD3F62C55831FABF57D292D2E12E0054ACCC1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:30.936{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51616-false10.0.1.12-8089- 23542300x800000000000000084830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:33.451{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417B0819A82554243DA8628E426A0DB0,SHA256=FA05BEFFCA7D049F0A20E7E60B331170C35597EBA8D6A5C085F23E6ACA171753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-28A1-623C-9400-000000004202}50244504C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000117757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.393{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\7-Zip\History.txt"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.827{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F771CBF956B18F765E1F1867D3423468,SHA256=B67AAE4BF43AAD29DD1429F3E95E2F65510F5631765E0055ACA0F9195FB11387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:34.545{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0887D17CF3381814FA3DE754F7C907A6,SHA256=68B44E6F28C6C511AA0CE9450240E1AA617341B4606BD863E18DFEEA00CED631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.436{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C4109A403ADACA46A111D499246B81,SHA256=A9DAFC9408DEC5AEDC5F75C32F6D12EF13E867238EDD9EC9423F3835F953AE70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:35.920{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BB7A148EA76A8D1909C6F9695D732D,SHA256=E3C23DA3A81E5624118DAAF900C502ED7205295FF3EFC92B45B4C24C7DD894DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:35.639{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EB64B2B1B9387085947EEE4944FBB1,SHA256=80F759C8464422A5E950958200BAC765C6F2887320FA7960A22D03CBC6847A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:35.498{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0876F4BC4AAF25E0518E2A761766AEFE,SHA256=11EA7F1B651A868A424CA4B0EF5597FC414D8D759DDAFD015C454F4C71E4F861,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.012{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:36.735{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C093C172F4DC8AC99625650FE733D52,SHA256=77E8648B2808E9CA926CB68B609945070FBCCF71D00971108C5A716EAEC1A3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:37.829{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D364BD719FEE2F3EBA6F97BEEE36C814,SHA256=F9F7366B69B98A4D1DDE7640CDF039277B4AE8774A58398402C9F9CEA3A60FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:37.017{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3705DE1E50733772F1934F8AB7CBE4,SHA256=310C066184349FFDD6F25546C92E9EF618FB9A5BEBAF64A6E3EE3D56B68C3A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:38.922{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D4276EAABE65B1A16EE8707949EDB4,SHA256=49106B3B90913ABE9E861E30356F79103F27CC15E780F938E3B8C3B791298C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:38.111{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F07E6A704AB9CE45379EB5B4BC2313,SHA256=B6BE6B98FC51D5DF98EEF2DC4EC69078DC191DE76F7A5A950FD1E5B0D924F20C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:35.595{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51617-false10.0.1.12-8000- 23542300x800000000000000084838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:39.954{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4374DCBE5E7A04E2ADEED8A22E37CD2B,SHA256=06C9D7D7F931CE87856CE23B4BCDB0A14252A0496913F01BAA87E7C01D9360E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000117799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f5a6) 13241300x8000000000000000117797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f65-0x982c84a6) 13241300x8000000000000000117796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6d-0xf9f0eca6) 13241300x8000000000000000117795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f76-0x5bb554a6) 13241300x8000000000000000117794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f5a6) 13241300x8000000000000000117792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f65-0x982c84a6) 13241300x8000000000000000117791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6d-0xf9f0eca6) 13241300x8000000000000000117790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f76-0x5bb554a6) 23542300x8000000000000000117789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:39.204{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE9FDBC1118277219A0BAA1A2059F90,SHA256=1206855BDC0ADEDCC70557C204728F0B99991252763CF820E2EB10C47E24DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:39.126{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49B12265D65B1526B1C559D36BA9CE67,SHA256=E134DDBF216B2767FD5C09DF5BB1D939A3326B9399E2CF75DB43937E1CC7E805,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:38.985{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:40.189{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6754205CA183BF783BBC87C9847B28F,SHA256=D54BFF59BBEED2610A73500FB3110892CF56C69935F9C95959B5A1C65CB2CF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:40.016{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E5F21C3EC5AB21F334DE63DEA46E9D,SHA256=D4F0DB49441CB3A96C00B2B97BB3D7549DB0DD76FBCC6BD80127A2A72DC26921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.657{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.282{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4E74A2F9EF1B19599A1A4F8587E318,SHA256=B75D9F8096435152A3B8782CB44D3F57E5C147B7556CD910EC743931740BD6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:41.001{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADCA643CB022CEC3659DF4BF9C109E4,SHA256=4D9C4D41549390017EB16E6997180027AC97FBFBC101A94D1B795A1F154A25A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:42.376{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40D42BE497920DACF75AB23F4CB9696,SHA256=DD8DC9E74BA81781A806AB1B803E39270022B91CA5A665B62FB6FEBC4889C15C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:40.738{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51618-false10.0.1.12-8000- 23542300x800000000000000084841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:42.094{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F507F5FA348DDED449A9CC8566CA367,SHA256=A5BF93F1F495266AF8B4E001339EFD3BEDECD1B74679F3AA230DC08C3F49E024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:43.470{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EB161964675A5E744FBD114DF21C74,SHA256=A3AF45F49C9B8560592CC983EB02D75709529D9B13EB6EA2FF68F810D991EA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:43.395{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-158MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:43.189{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BA0FEAFF360CA63640E4FC26FA334A,SHA256=E109ECE04C4F9D5DF2A5AC16D8C74AA9B0702DB7C3CDB88E455201687D323AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.405{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000117807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:44.564{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA47C63CDE48864509ABD3B250EE3D4,SHA256=8811CB474EEC2AF40A5CDDAC9E6B6BDA24EB3FD9807F9135E84E0675F5092D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:44.409{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:44.283{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48A51FF7759B1F0BF9E3C97BA9D05C7,SHA256=CDADA96CB4A2F80FE877CC8D9BA1C51DA6E58F35625AFE91570401DFFED0B333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.657{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75743DDD7BD22E49787D2D77A044D10A,SHA256=DE94732248134E74358B9E4487DC33C29627B244E6282863398F7C9BC379F33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:45.381{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1B3045B8952B09E8C7196AE2B894EB,SHA256=BB069E3CE30F70B49EBEDD6184CFD977C43E994E61067E9C4F59666C25B9577E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.282{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.282{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:46.751{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F455913FE1FEDB5ABFFDC7DE6791F2C0,SHA256=309E74E399A6D0FC877A8C3D9AB8736AE53112D18FF8697B3A2C22BA2AFBE82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:46.475{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB386CFDFC3927590A34BAD5B54E64E,SHA256=91E05A02BB177B4670262D734B199514BC889ED1A443D28183E1624ABF65EE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:44.936{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:47.845{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420CA277842618349AC92012EA310633,SHA256=895AC594A23AE351AADC0A6A469A7A9516D27EC64EF4793D8B31DB8AF1905081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:47.568{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE394E94B56A2785F1E0171BA8CC32FD,SHA256=C680A4329E9C7E8312C273EA9398C5A7B67FBFCD007718CCEC9C98B27A13F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:48.954{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D1C918F7B0BECB87BCE00FA791EBF9,SHA256=1E7FF5C979A12E8D9262DDF00AEA2DB7B6D528445B9F42FAFF363EC5C0EDC16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:48.662{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D416CAEECE5313EE2EB806CA0C07B4F,SHA256=2A20DB1416B68C46B4B9E14EAF78D998D44F8A64156696E6CF409206FFE4434C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:45.757{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51619-false10.0.1.12-8000- 23542300x800000000000000084852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:49.772{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C072BAC85D5037BBC79A5C1B893CE0,SHA256=6DA86C2A5BECFD46F24F3BEF568CC0C0410A1939A20C9C54822AB70C9890806B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:50.865{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6124D353E7078ACB013A4A9D376508D1,SHA256=3506C4D3C5F78E2F6E56F311F76899967198658A1BEB8CE4E5DBC1263F415668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:50.048{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80B4AD0C2E33DCAEFCC438A1646FBEE,SHA256=EABD6EF8531F17C7D8102C71E5B6145B54CA048FEFB4A98BC171C5538FF06B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:51.959{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE7C0AC12718500B335C3A2AE921260,SHA256=C766325BDF85A4B616EACC7E3D7179BE803AC85B947F3E63C6639A9C47A286F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:51.142{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4FB394F5E157366789F906AEAEF41E,SHA256=FCDA88F79710E967F19F38AE431DA5FD9926F8877A7E5B793CECE4A6E56C5869,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:50.858{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:52.236{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F4C7764F9F0CC8EDE2EAB7FCBE4DD4,SHA256=2B205A44E44C9061EB3D3BEC51DD9B9A3CEC81CB8489652B9D7AEE8F3EC0A549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.475{9531C931-4EB0-623C-0405-000000004302}24002928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.257{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:53.329{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3DDD6ACE6FA5A1C0789D55E8D89A1F,SHA256=61140626D3229B8E56246370D28219AED7C8C76019F7BCE41306D8E4BAE07957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:53.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82FCC0EBEBCFDE6B8140BFFC60282F2,SHA256=1E15DB858004A5254E193D9F2049C679A9F7878C5F76074FE907F00902CC6585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:53.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93953CC45DBA14E2A11A59160028B2F6,SHA256=6A77138759F8AEE82A7F69D9EBEE1F43AD2EB6A607BB2DFBDCD4D9FFDAA82C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:54.423{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB1DA00CA62FD761AE368E96CF937D,SHA256=DC308EE432547CC4081BBDD9BEFBBBD24365738978FDF0ECA1CEE6ECEED233CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:54.600{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F4AE753E35269737369A6AACD5EB1B,SHA256=6ABDE61A5E0923A722CCA1B32677BC25E5FA4140D4607BF7DDE59C81D27F4A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:51.726{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51620-false10.0.1.12-8000- 23542300x800000000000000084900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.787{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4A29A75CEB9944A9F891C556D6574BC7,SHA256=2D65FB3DE634183C86B613C5F42A8EF0589095348617F2170B260517C2D8BA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.693{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB908F9AB726AEE26B48BC537ADC8F8,SHA256=261254196B37570537D374EB50D4BF275ED416567CE88525326BA5DB719DCA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:55.517{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB4A87487DE5BF8118B7D5BCFDC1E3,SHA256=D7C1FD1F63E8E8FF18130741609D81A197975EB14C831C08F1960640F9AE302F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.007{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.911{9531C931-4EB4-623C-0805-000000004302}4322704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000117833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero-cleaned.exeBinary Data 10341000x8000000000000000117832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-28A1-623C-9400-000000004202}50243716C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.958{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.596{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B218035325E30820DDB3A37A5B3C4A5C,SHA256=8A6856815840CB1CE2714B389811E09D68E67FF7BA718F2E318EB52497881C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.660{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.424{9531C931-4EB4-623C-0705-000000004302}26601328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.160{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.380{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-158MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.752{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182497B6F9A448FAFB1829B778CACCE7,SHA256=E329F1356952D08B8BAA8625E092AE6F87CFF572108AABFA5E683B5B72027088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.330{9531C931-4EB5-623C-0905-000000004302}25921916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443D7EBB77FCB591DADD0C3F24DE3BA7,SHA256=FCEBCD247BF92C784865DCA4AE71D93D385D443FC550A847482E8A231161DDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.175{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.394{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.300{5F3DCEF0-4EB4-623C-7705-000000004202}844ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.190{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.129{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-4EB4-623C-7805-000000004202}70564572C:\Windows\system32\conhost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.949{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63221-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.949{00000000-0000-0000-0000-000000000000}844<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63221-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.875{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:58.818{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F2A4638BC14516CC31404C9E60228D,SHA256=924B40F5DFF39B7201DC093D7D8BD31A944A03F9F434484400ED87D4C9EFC176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:58.002{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D30E3AC44AE5A403737D3931FC7EBC2,SHA256=F361FA84B19C6335612B4E73DC5DB19AA2722956B73FC0BA519FD2DA4C13B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:58.130{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19E67A130E7D7E8F0FEBE53CF742D82,SHA256=258DCA3D90BF529BCFC1B086420C78BE14724869E6768EB0DA1BDE2712FB14F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.991{5F3DCEF0-4EB7-623C-7905-000000004202}5304ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.865{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.550{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51621-false10.0.1.12-8000- 23542300x800000000000000084945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.096{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461F1BBBA29C6A0A784823913C4B17C4,SHA256=D3E75FE8E80450FA15982C62DF8830FFC76E6E9AF0AF2948058A2DB5C95875DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.724{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.662{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-4EB7-623C-7A05-000000004202}64724308C:\Windows\system32\conhost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-28A1-623C-9400-000000004202}50242088C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x8000000000000000117877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-VerSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\BinProductVersion(Empty) 13241300x8000000000000000117876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\LinkDate05/28/2071 22:00:51 13241300x8000000000000000117875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PubSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\Publisher(Empty) 13241300x8000000000000000117874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PathSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\LowerCaseLongPathc:\temp\doublezero-cleaned.exe 924900x8000000000000000117873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000117872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 13241300x8000000000000000117871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:59.302{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero-cleaned.exeBinary Data 22542200x8000000000000000117870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.186{5F3DCEF0-4EB4-623C-7705-000000004202}844win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 23542300x8000000000000000117917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:00.927{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1ED3C675132D48B8465E57CB3F2FCC,SHA256=677E7940731FB0683D40664FD559F1D5C5BD26C1BD60B0E4003E625F7198E36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:00.737{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99442F8C4AAD2B50EC1EA531DE5D8196,SHA256=346100BD4974550977765ED4E9A6FE45C87943162609B76D25C1F9A5CE47BB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:00.190{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6E44C8CEF5F547F29649DEF642F79D,SHA256=F996B5F2EAA215A7D5807E9210BB5F026FCD1636BA31E0BC548A207BDCB9A772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:00.146{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD575B1CB97F21D9461A0E4A56C371D1,SHA256=1904855380219A665E382E26A75DD668B9805E73370E4ACD95B9C0BDC87A88E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:01.284{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5D7D9B2AA4623AA0FAB85CDC62EF3F,SHA256=085D7B473B3C51E017DBE8434AD1F80EC4235741D93FCF1F071C11ACD0E96211,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000117921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.852{5F3DCEF0-4EB7-623C-7905-000000004202}5304win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 354300x8000000000000000117920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.008{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local64522- 354300x8000000000000000117919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.007{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53022- 354300x8000000000000000117918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.006{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59161- 23542300x800000000000000084963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:02.377{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AD384B0A78475BC356EBF63723C15B,SHA256=FBA4E17745E2F58D484AF2A8C7ECD330FA47830BDEB6DC7D18B5ABC35069F05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.506{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.613{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63222-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.613{00000000-0000-0000-0000-000000000000}5304<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63222-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 13241300x8000000000000000117923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:58:02.037{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 23542300x8000000000000000117922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BB073016BB5AA28A49F5F4E1EB92AC,SHA256=46436CF07D1B2E6E4E9429DAB2CB552C7E96B32943BC8194A7572EB69D583F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:03.471{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1C875CBC9AE22CEDA5F33A98FC0162,SHA256=517C5B6CE940AE5D68BCD7EB84CAD008125D89F8A6852EE7A0D082502FED01D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:03.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB936F214C8500699D981D628E484C6,SHA256=6588B6A39128E7EA3A74087D716707BBC89C8ED85119F6237200E1B7F17B5AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:03.115{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB0F5551A94C4F459EDE14FA3F88652,SHA256=CF5BF2010FB4FCC0EEBFC60B894D4211A99A615FDA3869A8DFCAE4A5B6848264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:04.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A83E9C75C5197652B14BF198E120F82,SHA256=8C14019FD7F00AC1BBB768AC05D10B0627EED7622A87CA09D63F27D76BD43890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.538{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.302{5F3DCEF0-4EBC-623C-7C05-000000004202}3802696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.208{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA54973A530251AFE09DBA3E55C395,SHA256=FCDE6106EFE669CC36028D0BCA7BF0E4B6E5313F716DFAA0EE39C08F3A170BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:01.925{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000084965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:02.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51622-false10.0.1.12-8000- 10341000x8000000000000000117943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:05.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124A96A31429059E055C69298D8C4CBB,SHA256=1AC16D59CFF9A0256F87A3BA895AA63EB57318105BF49A2B09445E3B0B013B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.755{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DCF1D0A2872A412BD00563170F473C47,SHA256=115C1598B884ED47184C7CF854DC3C3CF6DDBF66783C9C0D0886165ABD3C37E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.302{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7A4479121D36AF5FFF0E2CDB4FA17,SHA256=6B2F8E014A65715B636F2EEF5A33396DE855A5E91527A3D4C266D2B33B5DE136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:06.752{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFDF1A3F5EE008081DDE61378AA6455,SHA256=5200A3C185E608364F3C5564B413A86D06916FC2336049C57B4E9564D639ED22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:06.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D598F27AB40BB899751D54D9D9EFF607,SHA256=00D103E5D6743A4E2DD3A170DF29EA647DB289C653D119EE810B13742BBDC138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:07.846{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A6AAD4A7340FD1C32A61C1B9FDE6C4,SHA256=44BE3A4F30A1338715DFEC506E00FBFDD960CFB421D1DAD9E0FEEC6537A638D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.787{5F3DCEF0-4EBF-623C-7F05-000000004202}22885052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21FE4C46D83ECFAFCD892C993425CB2,SHA256=E1BB7889051A71D40468AAF29C8AC8483C6771FD3A7B1A7ADFD46132CB784270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.446{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000117960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.361{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\3.png"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000117959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.801{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63224-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.801{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63224-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x800000000000000084970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:08.940{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7968258AD5237A4E564D44C0FD9EB59,SHA256=E0A027AD3C31813407900930463E2EA81AD075E2E7E6FAAF1CC71EB55253503A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.975{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.662{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02574D865A0266B34406BEE12C8BA41F,SHA256=4A3638F132ACBB58E44FF4150FFA6273B669FC93A19E04A29021D8903624DAC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.303{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.771{5F3DCEF0-4EC1-623C-8205-000000004202}20362852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.708{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3A4238CA31853A430CA64A48EA662E,SHA256=EEE42C6C18460513BC55D8EC99EE598E4B2E5B41586ABEBD765A61A65240780C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.475{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.211{5F3DCEF0-4EC0-623C-8105-000000004202}46922140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:10.802{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CEE6EA05BFBD1C3C2F0154CC996FC3,SHA256=A2B3F23A69A172B66423DABF72380F11F366CDCC0233DC3E6A1B355262DE72C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:08.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51623-false10.0.1.12-8000- 23542300x800000000000000084971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:10.034{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21DEE34E4AA394AE782F8BE8C2C77CA,SHA256=E6DD9154F0AFB2C9964F106EFBAE7275EE4D2A416F1F9D28A6A7026D57038D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.956{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:10.068{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B05715BEB82C02FFF2CADFE7FD40BC2,SHA256=E43240CDB4D4FF6F36BEA3E5CE29F8712CC9A5935D5A0B7CF983931A6F50AE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:11.896{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6FFFCDE7DB6F32B992F5F480D32C5A,SHA256=62A7FC2B04578F22C9AE1FECB6CF3E56EB9C29FDD8A2FA936EE021BB88F5B084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:11.127{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D9BDE6466D8D1B1D66DCA2D822BBB4,SHA256=BCEAAD5CFF99F690DC5E0A35C194330F6AF95402C3A2299DE40D3D03FA1D5407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:12.990{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98653B7CAC961FEE1DC936A2333CF9BD,SHA256=5304F39DEA53ED52192DDAE7A4E221F8B7021E4312113454F17AE90945E16A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:12.221{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AAE279A64B077B7554F60EAA5A8662,SHA256=EAE231499F1CE9A3D98B0E184C978CB11EB6D307124CBDD51056B15767879A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:13.315{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F586A8F3C67ECE1C3C2D46E613136C45,SHA256=0A0B1CA5BA00D3350973E418A3C2DA980FD303E7F5B4CBB6496002E0677BBF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:14.409{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B133710D2105DDBC950A48130A4448,SHA256=A8AD59FDFD6083BB4F2DA77ADC273E456CE240347AF97C68DEF38E70A42DA25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:14.083{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC90DC76852359C183D324E53D2E1141,SHA256=A6E619D42BDECA34A450479D4DC41223725590AC29BC17A2668B58AE39642B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:15.502{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2D717B042E19D89F0B04D8B2ED993A,SHA256=4B6A11B01F3F3FFEC9D4AAC83EB968FEF9D4748267470A283E23B9955CC37E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:13.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:15.177{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC83FEE468C26057377D30E9765E3B,SHA256=DA623F061F85AD2D3E12EC372BC2C0C5C8B3C0A4C8F5B39F2075AE74742FCB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:16.597{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87B34D3085EF1FC0DED1694D1620390,SHA256=FE404E854E1141891ADDBF97D289BDB2E12910693F74378E18E086866AEE6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:16.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9796044C8BB687F7FEC58BEC273FCF94,SHA256=0BE2C2757211C125277C8B61208F5802012254D8E516E71BDC0D6FAB7E78A129,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:14.566{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51624-false10.0.1.12-8000- 23542300x800000000000000084979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:17.707{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06827E97F036AA0CC9F770E009497FBA,SHA256=A699EAF46DC220DB9C8833D07051E489034342E851A159E079B340A747FB7245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:17.366{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D18F2A38E5D09C670E960DF3EA2C5D,SHA256=94F01693EDE57AE4F0041DEFC3425D3DB644264835723A237ED21E75D4CA1D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:18.816{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCDD5D948D09948C222EA320AAC4575,SHA256=69EE7626AECC478A72C2FBD15E088390F6C837CD3EF20D56CA3070EA6D091040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:18.460{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CA3AEAC2BEF39614BC1586E4DFD99C,SHA256=503926A3FB202FA39F8D8B1C4BDAD018D293F51F58A7B12627A1BCF58CF86FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:19.910{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ADC8C6D91EB83FADC305345F0BF54A,SHA256=031C0E2A4536BD1222CFBAD0564B0C51E6FE46C42CAF7E4A6510F4CABB8B38AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:19.554{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD041F9BB13AD08A4310B8B727409B63,SHA256=B24CCFC8BB10E985D3058F63C4C78AE353F6AD48C57F5D1A0D79D46D530A6D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:18.988{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.647{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD943E9274E2C9E1237A600220A2D54A,SHA256=195691AA5A8D87EF24D2D6633A9E4A4C1FFB205B836AD5A0CC5995A0F81F3191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.366{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.366{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.350{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.350{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.288{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000118034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.241{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\7-Zip.lnk2022-03-24 10:58:20.241 11241100x8000000000000000118033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.225{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\History.txt.lnk2022-03-24 10:58:20.225 10341000x8000000000000000118032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.210{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.210{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-28A1-623C-9400-000000004202}50244504C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54 154100x8000000000000000118024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\History.txtC:\Program Files\7-Zip\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:21.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478D0B177337B084BFB0C303431AC0E5,SHA256=BA1E0A435537ED23D2A7C5161C45895FB9993C84CF5361292CD72E90B8BE24E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:19.661{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51625-false10.0.1.12-8000- 23542300x800000000000000084983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:21.004{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB496119549884953DBCDEF5F384F12,SHA256=0FA86C37251DFC857ABEB9E7978897B370B8CE4648C6D637B83165AEF1542EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:21.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51D3C954D75A91B63CD6431BB35190C9,SHA256=9442679DC8F8464CA23C4A741DB3BFC7701F230C62593CEDF567E0BD29406C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:22.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E7DEDCD5E82C498A739225F70554D6,SHA256=52541FEB9310A35243A9E1C29E42FD6CB339CE0BBB6A9B4B594861B219BA2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:22.097{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2D2E1106E543EC29DB472F101DAB07,SHA256=D35AC3C16E8D214CCD7E96BEF87157824C942130F7B77BDD3AC46AF9416DFA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:23.929{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9CEDBECDBA8AB61D015C3F1F179B6,SHA256=4B369D760BB9655AAD6BB3403B01388A5218D7900C5BC9643A2B5AF24ACAA6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:23.191{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4224496B075EBB65554AF4DEB40F5FE,SHA256=DC6D0F26257360E00CED42037C06B46B9753253D1EABFA167625674801226778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:24.287{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5949D522351D04B48F18ACAD061AF9B,SHA256=A59F8B5A7959224F99F8BD2446FFF1AC1036BC598E8F2C27C852AFFAB13758AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:25.379{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9C1C56209D23E1B4754C6B2DFAC12,SHA256=EA65C6D71B763A863F0621EBA799013065A55C101D3020D3B1431A6DAE49B611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:25.022{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629A87B3BCA0B4941FF760B9668C03B5,SHA256=AE6A9B81704C87DCE60D93C7484E1B81DBE80F29F028DA1222E064C4DCC3A29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:25.004{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE1A5088BC8284564437444D8D371347,SHA256=E32214E7FA08030DE20CE65B2CB66A12A1520539FE9F3436AC5B005E4EFE05F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:24.739{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51626-false10.0.1.12-8000- 23542300x800000000000000084990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:26.488{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7A434605C60F909B79EE498F0070B,SHA256=CCDF28D064B7F935DD9B0BE61889217ADACA355506AD108FA3133B3A8F62EB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:24.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:26.116{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDF307227ECBD6DB002E2865078E5E9,SHA256=C936713FB4463639757ACA1C15ACE41ACC579471A44CF76DD1B732911FB0282D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:27.582{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C0BA3399643E4E9EDD414D2812A71C,SHA256=110F83300FDA63043C851DF1F6E6ECE127C4D5FD9C88CE56FE4E5DCAE43507F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:27.210{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7F98CFD63968AC9E4F35FDAE9F4DD,SHA256=B376FBE840448268673DFC2975DFE688D945E56AB4732B1D4CC7B0AF17482939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:28.675{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8988A76D10107AE6B5D221014EDE7B42,SHA256=2D0211F0767184412A218C8E9DB297128F6A0F9CBEFCCA80328620683598A166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:28.304{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF1FB0CE8E8A0013AA65107339D86EC,SHA256=A6DB03D5DD47705D7CF7A748457A32D26C4FABFBBDC81236424FD517A37E3665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:29.769{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9525F1A68E297558892C513A1EF33500,SHA256=D69FD84581620E37A0850F6464E5D3A95F12D8D51A78BC46455AC36185DB678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:29.397{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E60FFC6537363865B3F24E22BC56C19,SHA256=245D1B716491121B65007AC09F93B0CC3E59FC5942E64A8A1272B4CBA9B5866D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.863{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AF4E24D1F2F5D799CD279B3A579DD,SHA256=C6197ABD0ABDF9F22420F22B23FE41F7F55D0A75025CCD134F2C771ECF6F9605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:30.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFF93BD24DE47A30EC544DE8F675234,SHA256=4CCA88A69AC4AB7B1F109D81700541E0FF99760970FAB87804DDF97D02FD2D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:31.957{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159711993E70BD4E380CFF2F36573780,SHA256=E6DB5B4AA0DB7919AAAF680C824A9CCEFA55A6C481D6AD969BABA33B1FD0237B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE1CB989F034718117F3A1777A6DC06,SHA256=762DB2A8025FBB2D91064F04B183113277BE2F57C2AFE288191A379B4E5AC122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.585{5F3DCEF0-4ED7-623C-8405-000000004202}992ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000118098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.507{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000118097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.507{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:31.425{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.444{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.413{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-4ED7-623C-8505-000000004202}49361828C:\Windows\system32\conhost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-28A1-623C-9400-000000004202}5024748C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.353{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:32.600{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C859EC4922209ADB46ECB4C03BF9F45,SHA256=30054FBDD79A582329845B86B0EAE8B9DA5B6F52787F7223F06DE7A60352A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:32.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC183313D27FC3614603A27E3B7D8C21,SHA256=911881A5FC5F1A3DF0D35853ED397EF378AEDD2AF314A744969AB8FC59EED0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:33.694{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35449C2C32472E096A01DB8400579955,SHA256=E29F4DB1EE514FE04B9D3667206EFB2D151C78FEC81DCC6102485D728FB00429,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:58:33.632{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 354300x800000000000000085000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.961{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51628-false10.0.1.12-8089- 354300x800000000000000084999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.677{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51627-false10.0.1.12-8000- 23542300x800000000000000084998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:33.050{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9A3F73520363F4E42C2B632021DA0D,SHA256=34931CD18AF7CAEDCF1F051F050815C5044A69A7E0121809620ABEC67966D6D5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.508{5F3DCEF0-4ED7-623C-8405-000000004202}992win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 354300x8000000000000000118105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.271{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63230-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.271{00000000-0000-0000-0000-000000000000}992<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63230-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:30.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:34.144{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED3C49B50E522B377ACE1CB9804B827,SHA256=56080E58A3ECE3828FE62CF243651FE74BD8FADA8EAD5FB3C07C06D2E3681801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.975{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.975{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+9d94|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+9d94|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f3|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-4EDA-623C-8605-000000004202}42047020C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+ce11|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.923{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-4EDA-623C-8605-000000004202}42047020C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f3|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-28A1-623C-9400-000000004202}50247088C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\windows.storage.dll+2d15e|C:\Windows\System32\windows.storage.dll+2d361|C:\Windows\System32\windows.storage.dll+2cf9f|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000118110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.904{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.679{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CD19FD21230F2D163E9B2C800E6A9,SHA256=8C7D8023B7397A0D489EBF8729D888AC6A6E9F6DA987C9CB4086669B4C46AC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:35.238{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13E3BB56B27729CFF7488C1A15A5C1C,SHA256=01AB23CD59E14452591107BC249AA48ED5B30345DEFA3F5A592C114D558EA92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.897{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81825D45CD69907F698CA60DA0B66AAA,SHA256=FBCBE09883D9D64B44BE56BF080CA692AB4A7B1C880D0038C70429E08742F1ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.882{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.882{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.859{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.859{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.859{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.859{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.844{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.828{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.828{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+edd4e2|C:\Program Files\Mozilla Firefox\xul.dll+bafbc2|C:\Program Files\Mozilla Firefox\xul.dll+26a242|C:\Program Files\Mozilla Firefox\xul.dll+26a01a|C:\Program Files\Mozilla Firefox\xul.dll+ef9ae3|C:\Program Files\Mozilla Firefox\xul.dll+1b41db8|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b452c6|C:\Program Files\Mozilla Firefox\xul.dll+17a3f09|C:\Program Files\Mozilla Firefox\xul.dll+f2d426|C:\Program Files\Mozilla Firefox\xul.dll+1b3f0a7|C:\Program Files\Mozilla Firefox\xul.dll+17a46df|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+f165c|C:\Program Files\Mozilla Firefox\xul.dll+10f74f|C:\Program Files\Mozilla Firefox\xul.dll+119814e|C:\Program Files\Mozilla Firefox\xul.dll+8a1798|C:\Program Files\Mozilla Firefox\xul.dll+8a1ec6|C:\Program Files\Mozilla Firefox\xul.dll+213aba|C:\Program Files\Mozilla Firefox\xul.dll+c1f615|C:\Program Files\Mozilla Firefox\xul.dll+81b371 10341000x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.813{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.4.43636842C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.4.43636842C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.3.126799269C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.798{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.777{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e4819c|C:\Program Files\Mozilla Firefox\xul.dll+e4a78d|C:\Program Files\Mozilla Firefox\xul.dll+c4d8af|C:\Program Files\Mozilla Firefox\xul.dll+c4a9d5|C:\Program Files\Mozilla Firefox\xul.dll+2728df|C:\Program Files\Mozilla Firefox\xul.dll+272491|C:\Program Files\Mozilla Firefox\xul.dll+fa1ddf|C:\Program Files\Mozilla Firefox\xul.dll+17a4fbb|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+25074e|C:\Program Files\Mozilla Firefox\xul.dll+21dc6b|C:\Program Files\Mozilla Firefox\xul.dll+81b371|C:\Program Files\Mozilla Firefox\xul.dll+177769c|C:\Program Files\Mozilla Firefox\xul.dll+187a668|C:\Program Files\Mozilla Firefox\xul.dll+1ac017b|C:\Program Files\Mozilla Firefox\xul.dll+172d9d7|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1 10341000x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.764{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.3.1267992697\1470251075" -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 5124 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 3176 2431ff5a248 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.743{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.3.126799269C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A48E09979F462A74BE21BB0418ABBE,SHA256=5CD4411C0337D5347417DD316FB058B12CA480EA1170F7A875F08367104C5668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.712{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.696{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.663{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F63A28850AD1B787217DB56DF0A3BB6,SHA256=356391AA3987E8387BE69D3D3EC90E538BD668C9BA607F29E36165A918575BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.616{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.616{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.585{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.569{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.569{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.553{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.553{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.538{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.538{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.522{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.2.22996049C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.2.22996049C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.1.25441238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e4819c|C:\Program Files\Mozilla Firefox\xul.dll+e4a78d|C:\Program Files\Mozilla Firefox\xul.dll+c4d8af|C:\Program Files\Mozilla Firefox\xul.dll+c4a9d5|C:\Program Files\Mozilla Firefox\xul.dll+2728df|C:\Program Files\Mozilla Firefox\xul.dll+272491|C:\Program Files\Mozilla Firefox\xul.dll+fa1ddf|C:\Program Files\Mozilla Firefox\xul.dll+17a4fbb|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+257501|C:\Program Files\Mozilla Firefox\xul.dll+34c1ce|C:\Program Files\Mozilla Firefox\xul.dll+cf0bd6|C:\Program Files\Mozilla Firefox\xul.dll+1793840|C:\Program Files\Mozilla Firefox\xul.dll+1729088|C:\Program Files\Mozilla Firefox\xul.dll+16f9f20|C:\Program Files\Mozilla Firefox\xul.dll+1be72c8|C:\Program Files\Mozilla Firefox\xul.dll+1729521 10341000x8000000000000000118206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.476{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.1.254412388\1619422930" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 342 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 2148 24330f87548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.460{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.1.25441238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.444{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+edd4e2|C:\Program Files\Mozilla Firefox\xul.dll+bafbc2|C:\Program Files\Mozilla Firefox\xul.dll+26a242|C:\Program Files\Mozilla Firefox\xul.dll+26a01a|C:\Program Files\Mozilla Firefox\xul.dll+ef9ae3|C:\Program Files\Mozilla Firefox\xul.dll+1b41db8|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b452c6|C:\Program Files\Mozilla Firefox\xul.dll+17a3f09|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+257501|C:\Program Files\Mozilla Firefox\xul.dll+34c1ce|C:\Program Files\Mozilla Firefox\xul.dll+cf0bd6|C:\Program Files\Mozilla Firefox\xul.dll+1793840|C:\Program Files\Mozilla Firefox\xul.dll+1729088 23542300x8000000000000000118169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.288{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443EB3B8118393E765FB1001A420632E,SHA256=E9D1C389D842E07DA76CBCB577531F5D7BB6B8C2013D74C307A820BDE688D05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.272{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.272{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.194{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\61ch5vml.default-release\cache2\doomed\16964MD5=BE9692AEE9DEDAFEEE3CABADA56B56A0,SHA256=4F2C83BBA3B4153FDEC91D9F527B780CE172307E0FF5DF1E49DC6AA86495860D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.194{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.163{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.163{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.0.148785646C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.163{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.163{5F3DCEF0-4EDB-623C-8805-000000004202}4216\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+178ca1f|C:\Program Files\Mozilla Firefox\xul.dll+9b0346|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.152{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.0.1487856468\1007623588" -parentBuildID 20220313140707 -prefsHandle 1292 -prefMapHandle 1304 -prefsLen 1 -prefMapSize 252311 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 1396 2432c3eb948 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000118147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.0.148785646C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.085{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.085{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.007{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.897{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\search.json.mozlz4MD5=25C4D85756615B5AD2C847522ACD7C78,SHA256=7BC33AEB07A20D9FA293C77E9AE3D87C2609CDFFBFF9090F180EFFA9F65E389A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.813{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C586E5746062B8C3B57949ECF41C50,SHA256=AEC99EAB98CB8A89DBB82D88F5E53970D50C1479F2164DAFF1EF572CCA84885A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.505{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63234-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.503{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58059- 354300x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.501{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58485- 354300x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.501{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57979- 354300x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.472{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63233-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.465{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55652- 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.457{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57531- 22542200x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196youtube-ui.l.google.com0172.217.23.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.181.238;172.217.16.142;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.186.110;142.250.186.142;142.250.186.174;172.217.18.110;142.250.184.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.184.206;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.186.110;::ffff:142.250.186.142;::ffff:142.250.186.174;::ffff:172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com0142.250.186.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196googlemail.l.google.com0142.250.185.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com0::ffff:142.250.186.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.463{5F3DCEF0-4EDA-623C-8705-000000004202}4196mail.google.com0type: 5 googlemail.l.google.com;::ffff:142.250.185.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.139{5F3DCEF0-4EDA-623C-8705-000000004202}4196cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.097{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.095{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.868{5F3DCEF0-4EDA-623C-8705-000000004202}4196d2nxq2uap88usk.cloudfront.net02600:9000:2156:3600:a:da5e:7900:93a1;2600:9000:2156:f800:a:da5e:7900:93a1;2600:9000:2156:3000:a:da5e:7900:93a1;2600:9000:2156:c600:a:da5e:7900:93a1;2600:9000:2156:6600:a:da5e:7900:93a1;2600:9000:2156:9a00:a:da5e:7900:93a1;2600:9000:2156:ec00:a:da5e:7900:93a1;2600:9000:2156:5c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.862{5F3DCEF0-4EDA-623C-8705-000000004202}4196d2nxq2uap88usk.cloudfront.net018.66.139.97;18.66.139.17;18.66.139.67;18.66.139.125;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.853{5F3DCEF0-4EDA-623C-8705-000000004202}4196a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a4;2a02:26f0:1700:f::1737:a194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.850{5F3DCEF0-4EDA-623C-8705-000000004202}4196a1887.dscq.akamai.net02.22.117.227;2.22.118.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.849{5F3DCEF0-4EDA-623C-8705-000000004202}4196r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.118.162;::ffff:2.22.117.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.734{5F3DCEF0-4EDA-623C-8705-000000004202}4196example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.734{5F3DCEF0-4EDA-623C-8705-000000004202}4196example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.700{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.698{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.695{5F3DCEF0-4EDA-623C-8705-000000004202}4196detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:36.327{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E673D448A610151073384ACC6A02DA7,SHA256=EB93E64B1D7DC39051F2DF3BD326B3FEE882F0F7C2D4E30E1E8597D3763F25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EFF8C144769E69AE2489FEDEF21FB8,SHA256=1EBF22CC0444D252B0F23FE8EA1345EC983095E70981EAD828037227866EFBCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.613{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.613{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.10.24519963C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.10.24519963C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.9.99118603C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.582{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.581{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.576{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.575{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.570{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.9.991186031\1721919520" -childID 5 -isForBrowser -prefsHandle 4700 -prefMapHandle 4692 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4424 24335397b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4851B7F330CFBEE830BBDE77CA93EE75,SHA256=0A8F457217FB7D8B67BDCE8C9B14DE0DA1BF0FF87DED4D6D06C8E4E8E257AA29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.9.99118603C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722249F40A509514F84758E0EB741A2,SHA256=87EE78B1EB0F1A242876A8AE15FA7730A58C477B5033526809E324EB35C6599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\pending_pings\475a15dc-a4a4-44c2-bf68-39132ce0c455MD5=4FAC465840CAAD8BD0300CACFD98FB13,SHA256=12EF0099CDDDFE42190CD76A31AA87476AF68D2CD07EA01691FA2C5CD9377207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.8.162184329C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.8.162184329C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.6.213627571C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.513{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.513{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.513{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.513{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.7.131350989C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.7.131350989C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.5.199665256C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.495{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.6.2136275714\887575775" -childID 4 -isForBrowser -prefsHandle 4356 -prefMapHandle 4360 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4352 24336ab1848 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.482{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.6.213627571C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.481{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.481{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.474{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.5.1996652565\1511450133" -childID 3 -isForBrowser -prefsHandle 4312 -prefMapHandle 4308 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4272 24336006548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.460{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.5.199665256C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.382{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=3E99D8C3598B975B3013E2983DA020C1,SHA256=56D6A562B683C8DDBD99A9F16C0C404E0D85F73FB401AA9754D8E37DE8645358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=B6A456CFE73F6ED156B30F2CB516A9E7,SHA256=A0B1C66FAD9554B83DEBABB1552B7114908664788D97BF639A5C053AECFB137A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=28AF19DC3A3AFB1D99CE04E3B4C7BFA0,SHA256=105C3C57060871E237E6BD06C479B7D8549B64703F53BD71B9C007D880FB2C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=FE7AAC1FC1F8FBD95AA8ECA94FCCEF38,SHA256=DAB3D8BAC5B27A6BC30F8EDD20EF2F4E06BE97FA929D08957120F7D7F6D4C7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4686ACA0CFE0DC100188982B04460041,SHA256=49B4F69C2AD2E91DB39A3F010270302F9D66856AD60503DF6A2EB8BCB8947052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=90CBD0741485E02018F90036B7923C8B,SHA256=84C2D7A1E386AA867CBC9726B8E1C1C5C948875AADB3303CE357735B250BC963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=114BEB306193FFF6445B055669D2105B,SHA256=A76BCEE219785173021E995530DC82EA205B7290DF20E54358319348244171E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=7523E0B9331A32E286E7F4A1E4D90C6D,SHA256=4D07F603CD3E5E3F0976BE9B21A71741ABB7C7D89790531E066C63863332A09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=CA084295B40F5D4342065B3F08627114,SHA256=D8F7A87040C5C92221964961880A66C9230A485F55F6386234316F9CF6C6FE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4D77AFD009D5DDDF6868B784B0E5FCD6,SHA256=F12AF93585B6FF2C89693D53C4324A701422A399ECE90C0D309D9E2B70B0E451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=F78EC185E5B73DE25D4431B711C9A627,SHA256=64098497174BC25A2458E8BE66C7492F2FD43B1404B3005191D82676F46ED0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=E459A6B19F96D063B6380BFAA5B1D6BA,SHA256=120D2C0A96D01E50E9BA1EE82CBEC67710825BFE166601744505AB5A6068F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4686ACA0CFE0DC100188982B04460041,SHA256=49B4F69C2AD2E91DB39A3F010270302F9D66856AD60503DF6A2EB8BCB8947052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=5759D53E98913F87495CCE4716ACD190,SHA256=36A0C43F54225A72F7D9B28A83447AF75727472B8AC5135CF34B37062954E021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-63232-false127.0.0.1-63231- 10341000x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.071{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.029{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F8E8D82031FB5BDC1E59D9F6EAAFE4C,SHA256=DA02037AF4AA0602989C0F373D44B915B588AC836F0760A1A99F6D4650D75C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.927{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A2689C316CC3A0F930E0A5C133232,SHA256=7370B495DC1F8CBA656B6655EA3D974CA32EAAAE90BDF3D7BD4478A6B1FF7B72,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.477{5F3DCEF0-4EDA-623C-8705-000000004202}4196e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.476{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.475{5F3DCEF0-4EDA-623C-8705-000000004202}4196e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.475{5F3DCEF0-4EDA-623C-8705-000000004202}4196e2701.dsca.akamaiedge.net095.100.76.75;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.474{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.trivago.de0type: 5 www.trivago.de.edgekey.net;type: 5 e2701.dsca.akamaiedge.net;::ffff:95.100.76.75;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.473{5F3DCEF0-4EDA-623C-8705-000000004202}4196e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.473{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.471{5F3DCEF0-4EDA-623C-8705-000000004202}4196dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.471{5F3DCEF0-4EDA-623C-8705-000000004202}4196star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.469{5F3DCEF0-4EDA-623C-8705-000000004202}4196dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.468{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.468{5F3DCEF0-4EDA-623C-8705-000000004202}4196star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.467{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.467{5F3DCEF0-4EDA-623C-8705-000000004202}4196youtube-ui.l.google.com02a00:1450:4001:813::200e;2a00:1450:4001:831::200e;2a00:1450:4001:82f::200e;2a00:1450:4001:812::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.466{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com02a00:1450:4001:812::200d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196googlemail.l.google.com02a00:1450:4001:812::2005;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:37.420{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE39E649FC07A799A37307C2188E18A,SHA256=0686C7BD02DCB038D47F02B7C1E48C201E886148B892EDEB0CC1E395D524CDFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.243{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55354- 354300x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.240{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55538- 354300x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.237{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53653- 354300x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.237{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55953- 354300x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.235{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54723- 354300x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.234{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65381- 354300x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.232{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local51931- 354300x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.232{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57058- 354300x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56444- 354300x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64995- 354300x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50223- 354300x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local51852- 354300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54111- 354300x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.227{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local52232- 354300x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.227{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56543- 354300x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.122{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63248-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.512{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715457D1E5F32E56AE34D4144788070E,SHA256=4266D8EDEA73BDFC15DDF312C861053F3912846ADB4403C6A8594C05C953BAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.344{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.996{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63239-false52.89.17.198ec2-52-89-17-198.us-west-2.compute.amazonaws.com443https 354300x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.905{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63246-false93.184.220.29-80http 354300x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.905{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63247-false93.184.220.29-80http 354300x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.903{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54069- 354300x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.901{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local52313- 354300x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.897{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63245-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.878{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64518- 354300x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.874{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63243-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.874{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63242-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.871{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65050- 354300x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.871{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65224- 354300x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.869{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65155- 354300x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.863{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63240-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.862{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63241-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.861{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54478- 354300x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.861{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55110- 354300x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.846{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59570- 354300x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.845{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65095- 354300x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.628{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local49200- 354300x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.625{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58812- 354300x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.617{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63237-false2.22.118.162a2-22-118-162.deploy.static.akamaitechnologies.com80http 354300x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.617{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55229- 354300x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.613{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57139- 354300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.581{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63236-false18.66.139.69server-18-66-139-69.fra60.r.cloudfront.net443https 354300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.576{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50577- 354300x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.575{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local49355- 354300x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.566{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58213- 354300x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.561{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63235-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-63232-false127.0.0.1-63231- 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.013{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.013{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:38.514{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4BFE56E4E0A54D0CB8B27B97141F08,SHA256=B44ADD3E36D0B0476AD7ACD50B29837049361952058E82B56EB2E7AF420E136A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:38.843{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832E6A87A079CAA4E583641BA67967E,SHA256=C5CE01CB08946EC04F5FAF1D7A0E464684E124EEBFB7D2B0AAB4DFFAF944B64C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.486{5F3DCEF0-4EDA-623C-8705-000000004202}4196e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.478{5F3DCEF0-4EDA-623C-8705-000000004202}4196e2701.dsca.akamaiedge.net02a02:26f0:3500:899::a8d;2a02:26f0:3500:890::a8d;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.243{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50368- 354300x800000000000000085005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:35.750{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51629-false10.0.1.12-8000- 23542300x8000000000000000118670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.776{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF706357C368EB931FE6AE396D6955E7,SHA256=33C6BB03339A48CC7A975B1E80AFE57AC98C9B00DA19370683EAFAD9336BA9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:39.967{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0853987947243C29EB1C9626CE95732,SHA256=DB9255EE48A380D379F380BFD8F6DC5311647946B03CEDA8A21990A4F7B7C27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:39.608{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAC7D300F468423694B4F49AFBBCE97,SHA256=E044A4DCF37E611499291AADB4416CDA28910023BE720309D2B0BD6538366BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.682{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C337D2CC3E537FCA40FEC24CA9CF35,SHA256=A6762555BE069CBAD5833E993BACB920A8DD0B77811B6CF8CF4F186A4C375F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.667{5F3DCEF0-4EDF-623C-9005-000000004202}2156ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\64ecd609-3216-4146-b6e4-08bac6e952fcMD5=7942C6F7C308B3CFB9AEB5FBB80561CD,SHA256=6761DBC8E5B60D9AF960C177CE99A8C4B8A78666A16FBFA83E2D2F1596AB4E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.667{5F3DCEF0-4EDF-623C-8E05-000000004202}1040ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\842e65d8-9a42-4c94-aa16-60f25765eefcMD5=E47D04A11914AA40C31C92CDE9BBC36A,SHA256=FC1B75F785731DAE0E28A03AF6D25B341696FC2E724E560A034842F13CDF6F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.430{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.430{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.379{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.379{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.358{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=B150CFFCC32C6D506F6B5C82BA9305A4,SHA256=B680AC5F1FC562B57A956CB207D733CC0B935235B7B9D30C70AAFFC7AD93F5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.342{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=0A7AC77FFEA2A570E446893B50984DBD,SHA256=147288FFA6E3D68E9B0321B64A8E6A4F1B4018F0BC38B1088E22B3A5D38A6CB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.908{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56085- 10341000x8000000000000000118645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-4EDF-623C-9105-000000004202}58366564C:\Windows\system32\conhost.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\aborted-session-pingMD5=4F5AC6DA7629C3CEC4A7D8CA4FA23B5C,SHA256=3C7E9F656D6524385A48C3391A108FA31EB16EBCBA8090A35349CA3D3A3D3953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDF-623C-8F05-000000004202}60442040C:\Windows\system32\conhost.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+21b7f6f|C:\Program Files\Mozilla Firefox\xul.dll+21b7d85|C:\Program Files\Mozilla Firefox\xul.dll+21b7dd1|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1c45af6|C:\Program Files\Mozilla Firefox\xul.dll+17b5b20|C:\Program Files\Mozilla Firefox\xul.dll+19bdd87|C:\Program Files\Mozilla Firefox\xul.dll+17a98ef|C:\Program Files\Mozilla Firefox\xul.dll+16ae50e|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 154100x8000000000000000118630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.312{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe98.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/64ecd609-3216-4146-b6e4-08bac6e952fc/main/Firefox/98.0.1/release/20220313140707?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\64ecd609-3216-4146-b6e4-08bac6e952fcC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=DE32EAEA8BDF50D0DE7EF0C9FAF26172,SHA256=240E078B94BE8BC6BF3A14F914D6286985F9E50481504792EBCA1BFF579A50B2,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+21b7f6f|C:\Program Files\Mozilla Firefox\xul.dll+21b7d85|C:\Program Files\Mozilla Firefox\xul.dll+21b7dd1|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1c45af6|C:\Program Files\Mozilla Firefox\xul.dll+17b5b20|C:\Program Files\Mozilla Firefox\xul.dll+19bdd87|C:\Program Files\Mozilla Firefox\xul.dll+17a98ef|C:\Program Files\Mozilla Firefox\xul.dll+16ae50e|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 154100x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.304{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe98.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/842e65d8-9a42-4c94-aa16-60f25765eefc/event/Firefox/98.0.1/release/20220313140707?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\842e65d8-9a42-4c94-aa16-60f25765eefcC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=DE32EAEA8BDF50D0DE7EF0C9FAF26172,SHA256=240E078B94BE8BC6BF3A14F914D6286985F9E50481504792EBCA1BFF579A50B2,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.274{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_394d91c7-f94d-42bb-96da-943ca61c6c9d.jsonMD5=FF2250EA1F8A0EA4ECC8E8382E89A08C,SHA256=D864E7F2029A4A592681932E37B3CBAD8E9316D96CE508EEDA28F2BF55226D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.242{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\session-state.jsonMD5=2E6487A1A983202431382472C87F609F,SHA256=820B941B2BC93FFD43C9C1A216AF2170FBBD67A362764E58E98045101F1BD2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=DEAE51541C2FFAE0FCF626D7D5DDA4E7,SHA256=6132A3ECDF554D239C7BF8EEBE63F5EB52FAB26DA8F1515AE1C26B83222BD16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9488BAC6C91B2AF25626A6A96DB6541F,SHA256=CD34FA24BF3FD2C0B7F4E52D3BFABA3B4A6AC64F4DD640A0504E40B12AC9E98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\xulstore.jsonMD5=C0AA4F6F7078705CF225CC9703918D17,SHA256=C27A69EBDC4BF33CDA12D758E155B64789F68B2FB69C33694314A7BD7096330A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\favicons.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.15.213033821C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.14.100116178C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\places.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.13.113009575C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.12.50840877C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.178{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 23542300x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.176{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\SiteSecurityServiceState.txt2022-03-23 15:09:01.549 23542300x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\SiteSecurityServiceState.txtMD5=F43E6400FB86DCA284D74BB7A90F63DE,SHA256=D93789E4262585BB1B802913643F71E4F3CAD63447713B83DCC7E042EA423AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.158{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.11.101309459C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.142{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.142{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE92DE6C5BEF9F50D6145A0E4037483B,SHA256=5DD8F9EC16BA54AB1A224CD8FFACAE43F166ED9A9FFF74D48717D6C31217479C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.127{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=EB9A0EC25705DAD9BFCD77FB6C93F110,SHA256=C8ABD496EC2F826AAFE1A74F5A6B75D5AFE20E5F10076B562D170B0A7B531F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.113{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\61ch5vml.default-release\startupCache\startupCache.8.littleMD5=E2638351A5D56E5FD3CCD44B2A7EE357,SHA256=5CC0503E620F8639E7686546C9FD1DBF65BF7F676FE5CF0CBFC2517E7E2E15F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.095{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e5de37|C:\Program Files\Mozilla Firefox\xul.dll+84e512|C:\Program Files\Mozilla Firefox\xul.dll+841441|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 23542300x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.080{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:40.870{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424BE944872E0905ADD09A66092A7EA8,SHA256=BE578A7CFC4D87F24D9D3F133E2C39140E56C5D0815576C5C1E12296CF187C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:40.702{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD9D99E7971537FE3E07622F5BBE571,SHA256=11CAC48D8E97CE4D803F89DE56DEF9573535947590CDA0098DDBC42C4B00F1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.964{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7DCB1CEB5FA2EF71B35713B1B87ADB,SHA256=EED1483D7D7D7177AD38051CB0D16EB6C5677B043F88566DFE8F9D3011EF74E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:41.795{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0DA2C43018DC3A4F0786937BCFD202,SHA256=00856BA17080DE675BA5A2D494FC62C05D633411F5B4CE6652166F2941697681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.682{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.215{00000000-0000-0000-0000-000000000000}2156<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63250-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.180{00000000-0000-0000-0000-000000000000}1040<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63249-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 22542200x8000000000000000118673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:42.889{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B1157ECC9EF42D5FEF5EF4A7EAD0FF,SHA256=95717103DD84E3CD70B2C3E45E9AE4AF9C65D2BF3A8CB17F83AF0789383A0218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.007{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:43.983{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F75933A8F6931FB870E720DD646800,SHA256=8DFCD82D800A09CF7A31E76591E76F69049F341D9F2A39D5554FB6A0F3668776,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.429{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:43.057{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E6E538AD9D7418AF1739B4D951543F,SHA256=46637F8728347A9788653D3295187B1E9E7A64E1CA5E6BAD7D639092630C7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:44.151{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5BC951E304D49D9365E9A7B4DE372,SHA256=CE235D47ABE3AEE504859CDFC97D2B025BE43E4AAF5D9AF3AE46E9E86AFBD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:44.927{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-159MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:41.750{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51630-false10.0.1.12-8000- 23542300x8000000000000000118682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:45.245{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0295B5CCB074F91645D12007E3B6A,SHA256=830588968352C004961CA471FA08EA2DDFF83FB16DB5EF13FAA37EB7F648ECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:45.929{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:45.100{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D332A3595967B6B2D99FC3B4D79BD390,SHA256=1956D4824FAB815F59403D30850D0F55088E68817D2452A668E3830F83A227AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:46.339{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543520702CC2060D68F0677FF29D383,SHA256=407C7E74B4BECD68AAA4A340931D06CC068106A50E99918B7CCA63D7604B1598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:46.192{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086005F657C5643D4F2BFC4F44D4CD47,SHA256=9AB5B7F393AFE7ED85D5CF60B8E5A1A3BE33CE4A6EB0A9A7862803D24A222026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:47.432{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE4196141D4FD9DA9742C6D621F8462,SHA256=46664B0D1E7F4700133D7AE2AED86E5D4BEA47C541980199B7082F2B6451D5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:47.288{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14455301D6C9A849EB790FFACE34E633,SHA256=AFCB9DAE79F0D7332F1F0B2EFD0D5D75580A12DFAAFA7CF543701F463251D55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:48.382{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB162957FB741AF8DAF5B1E176499E6C,SHA256=E9D57C4A76F9410CBDABBB804BCB987A6B16640B994AECB1B0D1C70C62D35C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:48.526{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94153EC1CBECF902500AAB16496D6C85,SHA256=8C5D5C92374772F09F2A438EE68FBC43D013CA01DE1267992A665E98E9486164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:46.977{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:49.476{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92FF09BF3CAADDCF97AB8D207F8F5A2,SHA256=EC787903DEFA977A1240667E689C17C89851400A2EB20B79A15F97954010AB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.620{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1093FC85A899F030CE50FA8AFDAC43D0,SHA256=940437A2ACE09BD386DF9453AD8F06E242E082154DE52F58B33407A3B2FA3B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.448{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+5cde|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.448{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+5cde|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:50.714{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9733CE9B39265AF2CAB3921BB36EABF5,SHA256=7E530816032DA1488DB99654599BF048E235974DF819118B4EDD366B3E0EDC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:50.570{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417FB7923B1FBFB3E74931DD35BA18FB,SHA256=BBCF7E1FD184FCDF84647FF6C6B2FF48310189DEBD3A24F3973C67CC344FB267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:47.775{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51631-false10.0.1.12-8000- 23542300x800000000000000085023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:51.663{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6CDDCD0602CE88ED67B249DF066569,SHA256=468C646D5FB7DFAD6A050921134D7170395370F071DB2ACF26990BFC65E20055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:51.807{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E73A00C956E63ACD9E1D65DD1B157A,SHA256=1CF4FF3567FFBCB48AB8E97F48E27EF1BF60AA478C207DCD784D17BEFBA55318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:52.901{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA81CE2216F1C8A688EB7D47EC8AF1F,SHA256=A4B6E602BD5C7BDAE268B4C7365E464596998790F1B256AEB46B7A81D310466F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.757{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA44CE77162DCE841CA56ECE3029D5C,SHA256=CD6B5A592AC6EC9443566A728929F327527381F5A6C705EF978CF05C9E5D7A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.242{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:53.995{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA0694573CF2EBBBEEB2350196F560C,SHA256=133795534750785A2E7C215F614806D39A70DC398B09E0539497B4C9D43C77F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.866{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E491E6CFA84543F4D9A22842E730C3F,SHA256=90BE7B8F088312916AC6AEDD04FC7736D896E7BFB4FE105B73A6FB539E06A8D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.429{9531C931-4EED-623C-0C05-000000004302}3802172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.288{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99C5BE0A5FBF831EF3C2A83E2DFF1A8A,SHA256=6A866E331A37225DE753EF76EF9284EACE58F05C345543ADB8629E049DFF96D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.117{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.992{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.960{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46AF0C15D6F18C42E9A59C4AF009543,SHA256=9466751B846516E643B2F1F7F74EE484D476D2BE4702CBA91539D437346CCE10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:51.976{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:55.089{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40E32C687F06BD6848FB734236B34A5,SHA256=9DDEB9E2AA931263918F47F56ADAC4F35DC2901C727AC15CC02CA186624BE363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:55.148{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F155E2A1B9E6731AFB94F572819CDDE5,SHA256=90AFCC4EFD8E7D67BFED2452C03D755BB2C15A71F52F668B90137B5F09AF435D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:56.178{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A92254846D6BF318E86E985C8C644F,SHA256=ECDE1DD8765F3E39CABE9799FC118975EA81D59501A96611D6EF09D07DB7800E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.681{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51632-false10.0.1.12-8000- 10341000x800000000000000085083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.536{9531C931-4EF0-623C-0E05-000000004302}33481128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.162{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.052{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8BF1348182C8BDF5C43AADE5400FF1,SHA256=1BEE207D742E801657CF064CC0738956302EC5BE99B060BAF189D20DC808EAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.916{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-159MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CA69B8EA637DACBF68AA9F1CB10537,SHA256=2726ABD0837C75C482F164F8F0FC305628BF04ABD3DC7F2B47E384E511490C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.411{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD939D001EF6A0E75B117A17CAC7F4C5,SHA256=8D19A23A6E92DB746F79840FBE9FF78C416ED4858923C9F7F8297FB2436CD7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.240{9531C931-4EF1-623C-0F05-000000004302}692976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.037{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:58.929{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:58.350{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17C8A89159C0A392CD5B83B19A727FD,SHA256=4E27C3D7A8070AB8A702E3F4958E9098A220380160A7F7AC3AABA8ABF56D5AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.974{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D1E1218E1B291BF23B06ABCBCD7E95,SHA256=EC1A669F1C52F24A4BFA66C171C31CE0667755671FCFF0569619AF1D6C31952C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.380{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5633E8956FC888DBE01667FD235AC72C,SHA256=31750BB7CCEF5BD39B82428E3A245DF7EED673F8367AC5B582265AD3D1970694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.052{9531C931-4EF1-623C-1005-000000004302}38602468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:59.444{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23988ED9D8B46589DE3FC943CEB61177,SHA256=258534B0B8BB8804913AB6BA44CC7EBCD2F553703C90D046B8346558B7431AAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.537{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.474{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCC41A59CEF7C0ACFFF7D7A2CB8C767,SHA256=501F7B59DBEDCFC378076ABF7E1C09D7436FE0FD32FBC4984712FAC9027654CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:00.539{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98427A10EFC6B684F29E64C1E6816299,SHA256=A9C7AA2745F5161AA51166BBE98A8A3126D157F40015A3377FE203F23B86E9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:00.568{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAB929340ABBB3AD4B14587A74388E1,SHA256=34F24B81B32A1BC611218CA887E126321A9049A532DD78BD66133CE0781E44E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.725{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51633-false10.0.1.12-8000- 23542300x800000000000000085132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:01.552{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49820592A7945D8B6CCDEF9189FDD71B,SHA256=CAFF6CDDA15EBC5A1330F3E52ECFFD89997A4BF8E07AD5923A4382BE6E211FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:01.633{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20066DEF563362547194F6CE1A0621AD,SHA256=2B1E6DB018CBEF8D1BE696CB56F12734AECF3BBC7BB9C427349421D8969E2D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:02.646{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4149F1457F8D269F0BE866EE3969C428,SHA256=D026AE689C6903D3BFCBB1CB342BDD4651C0850C82D4C061B8AD6F473AFD0330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.728{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC60B8A7D445C53940254F2AFE450A64,SHA256=8B50F42E25F29A9E4109CE0356051DAAA41C9B29AFA3ABEBCFFE1FD3D5BBADC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.525{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:03.739{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A3A3153D678BE9CB2EE290788E25D2,SHA256=3679E0A7571D1F0996445DC3898D00AB27AF9A32BA24B6C2D5702E44831AF8C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.978{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.820{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978392CACC4779B8B849ED2F7131B8B1,SHA256=11325371908925E8A41684E785B58F6DC5D99AB3DF09682200031B7ED739B25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.633{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4639A166EA70B0F89F783CE3C87E3A6,SHA256=D639AC4E81DA51AC9342ED7CFD83FD10E5D4EE0A29A20268AA0ABA1870EC30EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:04.833{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933FBBBACA80DE5EB1C7C2C010D6B34,SHA256=249A8DEDB07C4381D9FBB030C5AD9C6ACD9680185EC4EF1AF033D62DD9161DB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.848{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.914{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77B3206F6AE3DD53E35E3E0E419CF34,SHA256=9D1659D7FB14CAE1ECB696150F807B8E85B9AEFC00825255A8E23FB625F6B781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.180{5F3DCEF0-4EF7-623C-9305-000000004202}11684484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:05.927{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF01157FC5D37FD886D6D0833836C80,SHA256=5E8C1F05B858874E769B0123DA5708E7049ED4CD6DC85DD654A78AE73C37EED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.289{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B37687404B0017552CDFC0428EAEF86B,SHA256=2CBEC27D10C7B08234C083DCE16F3E6A95DE76B6242286961534F2D2E2B72391,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:04.695{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51634-false10.0.1.12-8000- 23542300x8000000000000000118736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:06.008{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2697DBA1497B0CA731C864BB5CA03F43,SHA256=9A8E95129F8C481BB612FD5F272AFE8CD1F867B92D49B74A5E906DE781B0F8A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.633{5F3DCEF0-4EFB-623C-9505-000000004202}59483548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.415{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.102{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DD7EF0BE9B96BA4D3E7E9EF9BF872B,SHA256=074328DD8CE4BF107D582C3FAC566F25A4F979EC917C6F77CE7BFAF093CA2133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:07.021{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983B1DEA8679EE60D8E06957CE3B57D,SHA256=58DC4DF252AAEB8D2F41FC1DDFA6F307C6690D0AC1D1F82B72554DAE9050E4D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.806{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.524{5F3DCEF0-4EFC-623C-9605-000000004202}34605764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.306{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.195{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE1E1F1364C0032285F042F8E5A6398,SHA256=A5E8C96E10E9A172CE637126421965C5A71B99AF4A1AFE4FACBD082FD34BFF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:08.006{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78955F7DF14CE25A3199AAB0166DBD87,SHA256=DCFD0F493D73B4BD275718AE64A846B66A0E9571AAD2B058D7390666DC0E5B4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.802{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63257-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.802{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63257-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.867{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E05ADBD132AA9C56612EE7D1DAF9EBE,SHA256=585A48DDB929902BECD68F3FEC2FC6213B6C06DF3197E9F5AB87D42732DE14D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.649{5F3DCEF0-4EFD-623C-9805-000000004202}67246240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.289{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E130B9906C34AA12009D3A3C61D3F24,SHA256=398A04C6B27034E9AC1F023BFE953D9D4703C0276B0A21C00F92422614B743C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:09.099{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E0E0F3DEEEC837A0967CF34D9BD64F,SHA256=63428015A56E82CAED404A2C189121EDC3F6F42FBD64EC1BE5BA7F56E70D9737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:10.383{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE04146B74A2C779CB5F922565B2E54D,SHA256=AF0A2F1A6B9D6242FB97F827440FCF7AE8ED60BB614B43DEE44777C5B4E69583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:10.208{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75395ECCAA21CE6B6A191C4F48E51917,SHA256=F289392BCA45F17AC9EB9B67AD5FF7CB74ED80C22701682F82B6B6DD5BCB2518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:11.477{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C0E96674C57DE538A4E04D849B6A7E,SHA256=5E214E45009CB7947749CFF32159CE3802C4370ED2467ACC43DDA51FB4A8FF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:11.302{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB23C2BE74538F32CE573E5367560CAD,SHA256=B51ACDD202FB5C04FEE71209E6E77058489A9B19FD242C61CE30BEFC46D628F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.005{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:12.570{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E96D5DE81A3349FC749C823C7470F,SHA256=DC2D6035C7B39039435CBAB26A54AD2376204C183199C30BC708DEC7989F1D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:12.396{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8B92D65ECDFBACD24DE9781304429E,SHA256=2F1F83609F7F5CC14F969B0B7584FFC44AE43FC32497705A9D8E8AE5A2F6D23A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:09.726{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51635-false10.0.1.12-8000- 23542300x8000000000000000118782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:13.664{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DDC0D52D74D1EF0D4F6FA0C210EBD4,SHA256=4528E21EEE88BD0E76756C7F7FAB0AEB70B0AB1AEF744157DEDF7FE6FC6F0D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:13.489{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC548EAC96B77503AC91BCD674EB615,SHA256=5129F78EF845EB48FA8EE6F5874EE79D4ED5F19487AC0A884A5719D7CE73E3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:14.758{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6461D740DD452D08BBF8C26B2AF119F6,SHA256=0C37733A5D629734FA70C678B677403F8782DD9C8A9E8EB96597CC15B094F155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:14.583{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AB9BB0E8295831A96255E2CB293728,SHA256=B50271DD1DD715A5CDC6AF85FEECDD5BA954639A556EE6BF14E637F8EB519BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:15.852{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00ABBFF571C2D8A6C3EA5045D445A2B,SHA256=9A810D7544E298881107F823E2DDC17E29C32472B4E9D47A54A2D288C412D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:15.677{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC5C16577813EAF7737A39859270CA,SHA256=5D12677D1AC7D0455FD8C9F88E906FE5A1E64E0EC7DB7FDD8E7DFEA9B9FC7352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:16.944{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8E94D6EFD3B1D626AE2B10C70210D3,SHA256=43847E0E1F1F7D3A4B90EC2C0BD68E717D9273286F0FCB2AF262D6BA71494F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:16.772{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9BBB745F4B081E572DEEAC3304A0A0,SHA256=979BA524A2A7D8D50696EF809D0D180F6A6BD77972E0F7D94D2F426520D48613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:13.958{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:17.865{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C994ED289FC4C0C9E4C3EDDB78C8AD69,SHA256=9D8EC93395B6410C4B70A4C7ED836EB071ABFE68475D4373081537FCFBA76E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:14.772{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51636-false10.0.1.12-8000- 23542300x800000000000000085151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:18.959{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41ABC41CAB7210EDBBD749EFACD924A,SHA256=34A98C59D70323062D982EA6EB5303349FAB55CDADF91E2CD4A8367EC74FE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:18.038{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4E77CA9EA7FCF2D6D0BAD7627D45B8,SHA256=739E888D4BCAFDDABD08FBBC4D9EE79036F70E77E92AB19922697F36407AF283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:19.132{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01183502B544E8B915C08F87887DC94F,SHA256=A367E8572318D2DAF4C2D7997E1B8A5947F5CBF2EEAC2B386B2B44B7200951F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:20.226{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A77B2A00A82184BE4E6790C84257FB7,SHA256=92DABB9F45C147CF63C233F57C07BBB7CBF3E914788AB925ACFBFA9573ABE6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:20.053{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A89FCB8564F5422310C1BC4C652116,SHA256=E4A2D73347CEAA19412E732CF5005312F1AE30115934CE4EF3DF9F49CE50FDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:21.320{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11960121CA18DC743D940F926913170B,SHA256=72EA4ECE26C59B674A82703E50CEA3E8BCA6D1224BAFA2C207554CE22782EE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:21.147{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A669321E93B13545A3BFF2D7B74BB9E,SHA256=3637C7CA9F89CD0B2F31B5ADC557CE0FB1AE81C67AA159065BDA097710010E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:22.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A30345001D6327472EDAAB38D8077D,SHA256=3B30CCCFEA45E82FE74D94CCB813E3C686139CEA74B2DF42A8608E6486B2B883,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:19.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:22.240{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34BB474FC9322935335F4BD48F3BFB5,SHA256=3C4E387752F4B041FAC25212BCE023E90BC36E20653EFFE33D70CB15C6FABEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:23.398{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8399DAC0EE849FF49C33047B3877C0,SHA256=0044A04FC39DB3BACFD3D08627A5F92EDC8CB9938FF3DABF7853B694BA95E42D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:20.711{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51637-false10.0.1.12-8000- 23542300x800000000000000085155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:23.334{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23E06781895E6E5A567F61B26B0138C,SHA256=02F7E21C92FF75C723953A79D79DD79BF2584F11E4F80AC57E029E2516A23197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:24.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF3EFE5DDF7953016CE2921A39F36BF,SHA256=91129797E98DC21DDC245CF48B06365F27928286059D1C9750506269DDC13E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:24.428{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7840747308856CF0FA01B517F67A93,SHA256=1E4427D5857DB8079B21D67946EDC4AC7F667EA260BF10FFFF6B08D9FA62AD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:25.585{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF2214F69DEBFA1C1635D364F927BAC,SHA256=3FD4FBBE112879EB279BC8737BD97E1DD3D2FB966E43711555B088A3902CEC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:25.522{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0392312DC01E340C44ECB43924B54A47,SHA256=A374AA10B2FA21BB4B7318A85C7190DA729C1049BB60E2835D74F991B168A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:25.287{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BE14064979E0542E459911A4EA4797D5,SHA256=C17808D099F9B3D568F5B17E1F906C071486B76EED9F14A7F4064B862A61280F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:26.679{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE105CEB8F5C9CBE7BA64B84450EF509,SHA256=8828185DD3CE7629F4053020F80F889AEA16D3C4BEFF53DA396C091F3D97F598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:26.615{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A230A0C3CA9BA762DC5825E3EF4C0BB,SHA256=5EE3AF773137924DEFD8D58343DDCF2BB2EE40A96C020B6932EFD0494D454FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:27.709{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0DD5CF4D603411714B79860C51092,SHA256=DB8085A3A575CAAE0F99B8BB388FC2EAE1367A5CA0972C108D0515005869882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:27.773{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C80E834DFDA07C92E674A851389E67,SHA256=3C50F97CF5445245DA45913E3A2F5B9407847B7E35E172E0C2BD1589EB848398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:28.866{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55763AFAC9B86C01C98303006B37179,SHA256=DDCDF13CCACA702193F2A82D0F19E0A03DAF557EC109162F0AB2FDE539493FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:28.803{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E1FF46153EED543FEB3D99C46D464E,SHA256=467ED2C92372FBD2BF067443ADD77A5DE5715E348C4D110EA3D59D6F69271BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:25.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:29.960{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F46BF1C8F1E8C9DBC68FC498E9EAE19,SHA256=A88A3B5EADC5468B474463164D6D16B719BBFCAEA8F542997F731EE46AF147D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:29.897{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23192AE0B63B54F0BDA9EA40EDF96573,SHA256=28E3C0B746BBF03708FEF215BFEB42925BB67B0989D0D929177FCEC4F1E4C113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:26.680{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51638-false10.0.1.12-8000- 23542300x800000000000000085165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:30.990{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E9DCF0F84B5048B2864EF4403622CE,SHA256=2CE911F735B1BF28846D642E18C3D70085A2A40E46C7350C7F2CCDFF20B982AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:31.054{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDFE9070299683DD3F991FA6C721C8B,SHA256=A1CC7E6493CAF260CDA03E2CAADC5ED496F7967B8BFDDBCC58CFCC591BBEE2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:31.444{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:32.148{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15B4E2A5EC7E727D75640604274908,SHA256=677E70DAB625527E342E1AD1D0EEA55D5B158EB36288AA0CBE38BC8C019FAD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:32.084{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B4F473C1C9146AA9C514D59AC9D78B,SHA256=1C66D5A9CB6062881E6975ACE66D84282E38031EFDD41B027D1BD9E56D970A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:33.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4840A9F42024F07C638A3AD1ADE61D,SHA256=F217D1AEC019C752E9B68E5D6C493E9AC921F78C77780292AEC2B99B96591A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:30.977{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51639-false10.0.1.12-8089- 23542300x800000000000000085168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:33.178{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4823E41AFCF832B2DA6ADF1167B5195D,SHA256=EC4B8F212CCCA9388336B434E23C5F90A4CA7C50E95F657EF2E2785FE80AFE1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:31.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:34.335{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB976304C984297D4C0CBACB4DDAD7,SHA256=A1D1AD3E8C9CC942EA431C5395E833E5ED962BEA3F3C2919A5C3C46656F476CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:32.617{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51640-false10.0.1.12-8000- 23542300x800000000000000085170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:34.381{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B433AD9B63FA38E32034E9C3EB21D23,SHA256=CB1956E21209915B405B8ACD4908529E66653BD767798CC60ADDEE45049FA158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:35.554{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B795479000F6476DDCEA5431DF760531,SHA256=7CD129B98D8847A839BC37965D5787D251D4CCD5279AD848C864AFF224CCD6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:35.429{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26FB93F4769D74F691CDE14D462BB,SHA256=6155C9FB48EBCD58CB6814B925836052D65A60D6110300B8B4E9651B517A5F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:35.475{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25C26D99EB37233306B3CFBCDD2FD34,SHA256=C0C723CFA30ED4A7AA0D5CEB84E6D00BB007A2BBBD7C657310D38DB4A5BFFF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:36.519{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62051D51C5AF1E103FEF98C215F3A222,SHA256=E4DDD490382E62D86DBCF9BFA39F6127004BEB449D8F8A3695A2B47DB4D1088F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:36.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E6AA8488F330CDC67182A59079A246,SHA256=0373D97A2AB2F3E45DFA34DF0544061C506F2D3B7A35B336E06E686BEF526220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:37.613{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E4E5D0EC2C3209D7DDF4BA50C534D2,SHA256=1F62D58F517B55E751CAE4A14529B20CC2441960C9C29217DB2C54F1525D5036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:37.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1C27F6C961679E21A1FE2C09F11FF7,SHA256=AB2EAE67EEEF20F30EDF74F5339EBBB60769BF13E009CD35037702DFE16132D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:38.707{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0DD824094C240FCEF283233B8E256,SHA256=A77CE200511EA44B31ED2AA8FFD6DBDA05664E2F5F7C5946D803C9922BCA533F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:38.753{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5BA7B29CCE855A884414D877C155A6,SHA256=91E4CD4E88BEDA76E0F2BA1FF53F29F66F29C3464F4E84D8F9769E9A600022EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:39.971{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9A031512B6C6FF3A344E6CF20F1B75E6,SHA256=7F6E00A8462741C8F836CE6646D960637A5D30B275760688B855BF555DD78D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:39.846{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F5337D64787E6868E6E96097BDCDBA,SHA256=BBD1D14F67BD6F087F4967EB2FB6982CA706B14ED7FE3E36AE363ACBAE14EEF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:36.922{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:39.801{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DB01F60F6A9A4CDC9C9CD6A7BAB16B,SHA256=123C5277112884108F0F415565460E5310557B82C116A4D3D66ECFA353D5CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:39.144{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BB38F00C5C1693E7908C2219FBAFD2D2,SHA256=E3BBE04B9E498E1D178CBA2343469E9DC86267D5A14BD8EE9D3ED37F0E3723F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:40.940{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6137430ABF8666594C6F2F9CB709C96E,SHA256=F83BC9CFE7B73570B5774F6781A97FFB9D0D0F842F147622A61A64A2B27FA308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:40.894{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4230A69E62FA8EFEEBE4DA27936DB9E8,SHA256=1552E18E2244CB07538EF28A2EB317F4F0433B9BD0C60668B20F0262B10D4E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:37.661{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51641-false10.0.1.12-8000- 23542300x8000000000000000118816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.988{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7DE98C0F3245EB01C2478E77FA5F7E,SHA256=D43F54615C94F1CBEB2CA538CFE2D39E4F2D47442126D922EC5D990E684EBEF3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000085180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 10:59:41.003{9531C931-286E-623C-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x42f98917) 23542300x8000000000000000118815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.707{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:42.035{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDC92FE729FE14679A79BCB1F0C1EC3,SHA256=4113049E173B3B23F8A9CEF5A1EB6179BA754CD802C8FBC68FA4D54A61A10A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.453{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:43.082{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADABA7B0528E357DFF615E34CDD839A,SHA256=787C5528DAC0D67232D97A60B07F12BEF1D765716AC7F706426DA5CCEED6A24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:43.129{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD43DFA76E791D8AC1F520E39056D9D,SHA256=98BAFD0CDFEA1C99EFC8D5EF778E8BE4EE73D6BFCF9EEA7122736D90D33F903D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:40.535{9531C931-286E-623C-1500-000000004302}1040C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000118819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:44.176{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2997AA4771240FE9DE9CF381D823DD7,SHA256=49D7C33E02402F99384924C29DA3044715011694B5BB4B316B1C51AFD1EA5211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:44.113{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4687CDCA702E69BCEBF93028DE4D48BD,SHA256=7A9BB545B0F95CB9E901F35621B75DF940B0AFCA48D28FA30DB0986D18FC06E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:45.269{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9669B60FEF55CE1BDFFA62206FB56A4E,SHA256=63C670D1466C281D95D79CFA7804D8C07AC0807B2E5A0253E550474CF131C5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:45.207{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8076F5CDD364587714E7CC3330C14,SHA256=7392DBA2DC34661D09EE00BE14443CF3C517C9F877E44DCBA38BC6A462FE15DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:42.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:46.363{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB8BC97454A68805F73FE9272E56959,SHA256=C676BE333751DA525AF1B592FDB97A955F0FB57171F9CF35A74D4CAD975BC939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:46.461{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-160MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:46.301{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D484DD746FED5CD810EC2FDAED102E5E,SHA256=03903ACAF924E06BE29A527A6BE4EE33305F0ECD695A46044D68037D1F512926,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:43.584{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51642-false10.0.1.12-8000- 23542300x8000000000000000118823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:47.457{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B918693A2F6331C45D7C7AB4E8879CBF,SHA256=2D68D6C5ADA4FBD640450C24F2855C9C21BCCCB4531A360D1D4B7FFCD78EC252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:47.460{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:47.397{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6170F9A17A6BCECDD6BF1BFA67BF405,SHA256=C125545929790DEFAFD37231CF74EE0EF7FE296B461549F9080BDC5D4E35040E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:48.551{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776BCC3C0898890BBCF2C707B13E171,SHA256=0DE983436C5D95AC5DD27566112BD3B112CD1187798F7D0CDC4EF55AECBACC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:48.511{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11443C49C0D8E4AB8F80AF8053DE5143,SHA256=2CBFCAE0568C16DD133E6F169556E4D8112B05D00EA8A562CD4B142423C23887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:49.644{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12193D3333264A32600D6AA0F00996EF,SHA256=47C76F172A21B25A89C2CEA5C4D4EB4CF453E70DFCE48222A8CD241F130761AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:49.590{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF34277A8961A373270B885A12ACB9A3,SHA256=B2B1CBF781142E4DC32C502BE2FD70D6E75F3B25FB66EB6A39C21984B847B533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:50.738{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ACEB0DAEA3535358F84FB3AE5462A7,SHA256=FA2E820629521D8B9772D0BE32C2A57A8327923DF69C1F6AA069FC2909DB16CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:50.793{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E813437EBF2B14B66605D8243B99F56,SHA256=FA431B3C506CDCD2890F2D242C1D52E7E6014D9CE8495C40873BE3A9223FCD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:51.886{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313E244A3F1888008AAB977D165B0C25,SHA256=588141267C3399D12D0D2B440FC7DC3F85122F190CA0F04C14ADFAFAE37129CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:51.832{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55DDA50163CF67BAA8C0D3C5DFC4D9B,SHA256=0C2B3D2D3A1EDB604C1828AC946921CBB1C8F51F0ABC2D2D6354C89615E00CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:48.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:48.654{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51643-false10.0.1.12-8000- 23542300x8000000000000000118829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:52.926{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D738AB3652938A6D32B82BA89C748,SHA256=EA2A60DDE904E7AB4B263DD249A0431F8B269335F805F6D22381D1DECFEB842F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.731{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.574{9531C931-4F28-623C-1205-000000004302}39083764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.231{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB985E787ABDB6DEF56E6D072F2D3C76,SHA256=33D7124932ACF684A2C3A099ED4806DC2A43B7A5D5DA2D2CD78349B965CB7752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.371{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C31AFB6C78D63B42E7756875AFD8B3,SHA256=1DF7B3AEC8F216D7E3797DFE5908C5920009440F657F735388BFFE326FA7A7F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.449{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E293F88F55821C80BD335459A35A78E,SHA256=79CA6E534DA034EF40E30B1690B65F284D5509C92B37F768411F94C5B7FAE5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:54.019{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC026205BE48ED4E3A93F7BE9FB6D447,SHA256=4C0CFB73DAC9A55ECFAFAEE6D899DE09ED7AAE51D7B0E7BF41343EACBA7B48C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:55.543{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09955F88F2DA59F8F332FB7AFAB727,SHA256=DD116EE2FF8BA9D241977F9F3CBB513ED55261D72FC4F5FEA75E34269581565E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:55.449{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9B55F76BA970EB951E82826112DD7DAB,SHA256=D22FEC0E4D022197A73A522AD5CE1FFC6F230B4608A92575DC9A0E9FCEE7C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:55.114{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9372AAE78E786985106B8222F8DBB6,SHA256=41D002041705DB076E85C187EF7F8E7F6EB317D9376B66D54634C91377B1823A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.997{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.820{9531C931-4F2C-623C-1605-000000004302}37922868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.540{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.523{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBBCD66E26B0C126DABBB6D5D00FA70,SHA256=A92B8B5129D367CA6424B4220E10F8721A14A086228844C664814ABFCFB50F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:56.211{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEEB7DC4B9660383A5C5EC7B895B2B3,SHA256=522D219FED2221B4309AD857A6F3CE0CD484245770DFE49F9B72888326AA2075,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.732{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51644-false10.0.1.12-8000- 10341000x800000000000000085254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.242{9531C931-4F2C-623C-1505-000000004302}29483876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.044{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.648{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC247632E174B01408E0484BDE79BB9,SHA256=2D59D368B2EF09F18BEC5C62953EEBBF38061182FD907B6E54FC023E04DEF476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:54.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:57.305{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2A9264EA7D64E0954ED3E540CA9D35,SHA256=0F798A19C99BE763D18D953D0C159BFE8B84E80E00373739522B9281FBDE24B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.210{9531C931-4F2D-623C-1705-000000004302}15281180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.040{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:58.710{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B4FA242E49C5509235049667470FB8,SHA256=800D14FF7A1E26BC150964C717D359105205B45DD00B116033B251623FBE3033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:58.398{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5C0DA264FB81ED477DBA58C3A6C295,SHA256=D88C62663BEC7606D5225FF7744563BA84C4A39ABE7E69F69386F343C6612651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.804{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E09F595596B691269C06ED45DFD0B5C,SHA256=553BCE9CB5D6F9C12D6DCA63F977B07618922B9E1F3F11138B540658A989FF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:59.492{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410ABFEB5483DDF8465962D13E3248ED,SHA256=36BB679B7573CF09D996C8F938F1C4CD058E437A7F8B54C0EDE2C06212B90AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:59.463{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-160MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.524{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:00.914{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7F97B27E524C7955FEA49EFD3B52E,SHA256=946653775966FE55A68DED21A4417E04A3911DADAE128038700F91A678D7B5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.584{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9745E68E3934DF0AD528BEC13016C1E,SHA256=4B008D4407982A2F9D803FE7530CB28ABBF890BF51C7988D040BE74B890417FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.477{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:00.617{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAADC6CF75B8546C00D38F5EB649D758,SHA256=E6ED7D96743F3025F2C2A6A6E367EEA058EFDF0291399D0FB74ADD4073DE30CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:58.806{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51645-false10.0.1.12-8000- 23542300x8000000000000000118840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:01.572{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5281E7BF066E6EF86115856BB58F32BA,SHA256=1CC2D7B5BAEC7F4C6D95226D6A1A5D39E1A7C05714E28BCD4054B2E9A83497E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.880{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.666{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1EBEF77CDDA840175A0950175D8135,SHA256=7D71FD9192067DD87EDFD7EF6E56F9420E6AB7C1116842824691AF16564F0342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:02.023{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7764748317EBA3AF1D9213CA30C2C22F,SHA256=F9E91B31DB049ECE8AAADFED36EBE1D18CF8F866B4EC9AA1D5D17A28008513A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.541{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.854{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.759{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481117965ED6FEA482DB57B6EC74B23,SHA256=4BBD9A91F18D55BB913EA55CF843FAE402547FDE8EC41A53EA354BCF6762A11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.697{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E631A5DB4D413D6BED84E085CFC8A7CB,SHA256=6C9FBAC7E95D7F7F65CA9FE8DC112CE1F26DDD7A3CE9CC787F57C1414C58338E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:03.117{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECACC2C17490DA363EF55F7F6ABD083,SHA256=46A8609F5B61736DB3C3C24BAC662CED31451D992332EC0613B2F2704A91EA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.744{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE91B0B20A7977C3CBC9FFB371E7C0D5,SHA256=09AFD4B01B466BACFE3DDB040E6E79CC8CA09FAE5E94BBFB9926910BC0DBB492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:04.211{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5050477AB4BF2DDC675464E96A722AC6,SHA256=4BEC2CD30D03C262BAFDB9F5C2F5C321CF946C06571E41EC0DF43A2A72CED352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.354{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.087{5F3DCEF0-4F33-623C-9A05-000000004202}26964184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.837{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C840A3E16FDF0E75E104EFCFFF7B508,SHA256=500E3F332A2464F5F16ABC9C86C05F768CF3AD5DA36DA3AB11157548B77037F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.775{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C3471AB5479F2A202FBE699FC4C15FFF,SHA256=B6805AECEDC3AA91E975D93DB788462D90DF74BCE7D023229DAC500F072ECDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:05.304{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EE62BBFA1164D36712A9E13A893852,SHA256=83CA6EFB79102E7D9133BDF390956BB3FD8BFE2244EFD5928B83ABD2322AA765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:06.822{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C77AF7C03B2C9C1914D8AF546EB324,SHA256=993FEBF496B3E20A2D5DC5A0E3700F04F32A9398EF7F84CE07FFD6A3B5B18DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:04.708{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51646-false10.0.1.12-8000- 23542300x800000000000000085308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:06.398{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C515822B19540F7CDA7DD2613D5D648,SHA256=452FD9FE279F2CE77402817AAF6DAB41A86CCFBA1B01020DC146065A77689A58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.818{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63269-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.818{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63269-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.915{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCB37E4D7B8D7317346BD40E57F29CB,SHA256=009CAB3A9083B875DB8EEC73F92857F783F92ADF0E6794B2B4551BC696C8093E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:07.492{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813A3EC633B5A875DFB685D4D0DDAE5B,SHA256=C3604AF13BA7F5821F9E906DDC84614BA0B78419E5116E61064F2893D36562DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.540{5F3DCEF0-4F37-623C-9C05-000000004202}46564172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.307{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.979{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:08.586{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC2BC8B7A8F2F068F0F648DF480C8B8,SHA256=3295649F590C21894DB0B6059FAF1C05172DC7C232B4AECA5E54D33BE2D53F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.478{5F3DCEF0-4F38-623C-9D05-000000004202}66686428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.307{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:09.679{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E7E8FFDC366D2A2F011C4C9406C1AD,SHA256=0994C86438F313E686870CACCB49F6F74E90885E095591956B4C9A2C523C60BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.790{5F3DCEF0-4F39-623C-9F05-000000004202}43202036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.604{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:06.818{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.009{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA1D10D5368257D57887C4C6F6B27B,SHA256=716F14DD555F2460FFC7AE6FF11C1443FCA269A54C3D94FBD58D824571629DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:10.773{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7996BEFCA5347337237428916A9C857A,SHA256=13426560594759222B1AEECF080B180C2FE3E1AC772D161FAF2F7551634A6734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000118920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.497{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\doublezero.exe"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.119{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3F111D6CEFD54EFCDA1C30D25E7C2B,SHA256=2B9803B5ECFB5358A2786C8CFE3AA81502188A264FFF6471E0FE4719A5CF3B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.040{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C7625CA924DBFE163D916F5ECEE857,SHA256=55D25C3E4877E650CD8B0FBBA97819B026F5E026CCF4BD2B967A45CE25A34F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:11.867{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96086CEB7D8504A7B8801A6B3737DFCE,SHA256=A72F954DB2724017D492264A3B800A5AD88C6D06650DB6B6F9B4960C55E5B1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:11.103{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6812F44B858AA742FFE66B7F2C417F14,SHA256=251539C9ACC1F0299E72234490AF1B79255999985429EF2B1490104B9073E32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:12.961{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACF3946DB1AAAEBBA482CCDF10677AF,SHA256=E79EC4DA67E586ADBCC941627C383FAFDDA55C33DAA2140B81AC9149F111A9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:12.197{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74363A2414512687AFC15523AAABEF31,SHA256=6BB2E7247652D2AD9D7FB05E7BF0E15189BDE0DAB84F2B4F846819B0EC8E9EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:09.728{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51647-false10.0.1.12-8000- 23542300x8000000000000000118936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:13.290{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DA4B588518C099A8FB106444892AB4,SHA256=47C1F32E32129E1C0637084DCE9E1207EBE336A7026549D8F706944D820AE201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:14.384{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD18AA4174C4863C27F9F27184E3CBB,SHA256=FCB499CD7FA6E1152CF6323A2C2791EC26C477705B15536AB664298A59F7FBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:14.054{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0226A3E125812EB7812F9A7ECCB8B2AA,SHA256=0D925D0A81B9E497A842DFAB02F22C429FE58102617A9F5191203EFF7B1DF2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:15.478{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965BAFE0CC661EB17CAAEC4BF08C585C,SHA256=ADD45BB94818621D560EE7AD8AF72F83C669059C908DE90F941E7D415113C588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:15.148{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534A3B53048BAAA4BC05CD3541D74026,SHA256=38FE9F1FDA684CA13AD06C95C39B27C1D611022D7FE3512100940E2E9D02C680,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:12.833{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:16.575{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12541C65B8EC34688A124FA75D449DDD,SHA256=E36DEC338F7A79BC9754D80D072F45E6AB5094A9C91BB378FB0C82DB817DB6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:16.246{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D259BDEB8CD79549B1420FD49831E113,SHA256=686E5130E4B2C31CCA9BABB36C923C47B8B0B289DE7E816E191BD22D40C04692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.669{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58660947C0499166E29DC5B05D4446D5,SHA256=0EDD4EAA33756D4E9D5AD23516115368B224AE9456D652AA56CC32B2510944A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:17.340{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4718F7CB8F03D2D87BB66F16D533D,SHA256=608F68849737E052316BEF6118F4E18C5ACC4BE92327D785910150BBCD0C6EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:18.762{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48219F8133DDDF3F708FCB2638543F82,SHA256=7F211143FF96C13E3B5503CCF79EA825FE84870EB9BD157831046D9D736F9361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:18.434{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648099BED8C497C8C8F5936CD8439FBC,SHA256=CE675EAAF7646B5CE6D19A8CA79E9297E85807BA8952F2CAAC60876940B10888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:18.184{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:15.701{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51648-false10.0.1.12-8000- 23542300x8000000000000000118944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:19.856{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6236E78D088E7E353C9B712E9E954A6,SHA256=DA6103AC7F8B87C8960734BE447DE95729975DE7035EA44B15578D1D33A19E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:19.527{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C589BEF84F9685CBF270F6F791262656,SHA256=9F778FC0256B13FFE3571CDE95AA56682BEFDBB9E97261B03F02797491797307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:20.950{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055F38EAC03B96ADAB60E3A4815C861C,SHA256=BC0DD897CC3312A9A7D844042FB0BC18B913DA3E9CF25221668309B1FFE15958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:20.621{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BAE6804C54D61090F88CFCA8EA947E,SHA256=EC55E6C3094FA9629B7459876FAAED1EC97E08C1226CBF92943FCDA7A95EF885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.948{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63273-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000118946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.948{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63273-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000118945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:21.715{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B51464C561C3DDC01327233775072E,SHA256=D06E98B31593DC59CC9F9445E82A1C19735EF7765B7A89E7D415CB53F5070ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:22.809{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EA163C7D810626366AA369C4EB2443,SHA256=20F6DA93B39FDF330A755E39DE6B1FDB661A9A453D53078AD9C11D56690145C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.981{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.981{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.059{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC8AAB106EBBB2BF1662B67F9D8C52E,SHA256=6D5B5D8B9DE9B4404A6084A0391B25643D2734FD2D0129B67BFBE50828C54316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:23.902{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B734C2030A2785411B1ABD5D266A8,SHA256=6E44249E51F6FEB1597CBF439168DF323521F143A6BE3AA62A582A500F110238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.153{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9D5B977D6FC1E10FE1A498E2376633,SHA256=02E6A0429AE584F5BC6DEC9F370D446646014E7BBB1A876E670BDF5B380ECC65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:21.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51649-false10.0.1.12-8000- 10341000x8000000000000000118953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.091{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-284E-623C-0100-000000004202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000118952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.091{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:24.996{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26974DEAAC775A0F85E303AC59548F00,SHA256=B29E0B6912991FC5A9EF8F8BF06E90B82B308CE22291385C65F994EB05498305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:24.247{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A3831DCF807600C938A2E3D50704C3,SHA256=B2AF11046ADA1B737D21526E27821C874AA1B062220CA7D66C36DD93F9C89444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.757{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63275-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.757{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63275-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.746{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63274-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.746{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63274-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:24.075{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D322C353F6AE8690F9836E23BD573DC,SHA256=994BBAF54E4314E5F9F8D10AB92EE0037D21F2387EF539CCB132D2CF19738DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.341{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DFB0F3A817F6A7E44102841815C17D,SHA256=304E47ADDB90D638B3B6FEF0D4303F5FB383800C4071B6D9AFDB167703987541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:25.918{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A35C152F4D3700F76942157F69E8C81,SHA256=619255748835953CF39A9E6C704067D7156AC26624A71D6D93DD3CB5898D6798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.434{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AF2A298B6F012FA5ACFA53C3F0A017,SHA256=BC81856175493955FC4377DBD817FE97F075723A21321121FF166ACC68E0FD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:26.090{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D36FE35FDA8699D9EF1865483D5C08A,SHA256=D4C6C1421A880209BF743AE76E8C706FC7B58536531C3EDC5FAED51381D203F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:27.528{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AE9A359E1BD5F15DCAD9E915CEACBD,SHA256=1C1A032C6E952E63996C568BFA3850B10D3822D9BFCB019F21E23068E14A2625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:27.184{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE716BC27F81F5F1AD141AE09160D256,SHA256=9C3ECDDA970EFDA42244D3305978661790C1978D873E2C6A9C7FFD5494F4C943,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.278{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-18224-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.622{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF0A22D12BEB7015D9EA1CD72D3AF8A,SHA256=361D573005E802A601D4F7A64384B6975FF6007C7956C0DD012D47DAE442FFAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:26.701{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51650-false10.0.1.12-8000- 23542300x800000000000000085333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:28.277{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3756AF92113F0405783CE0421077FE,SHA256=82D1CA75F00D906CE92784C8041BB8ABD74E540ED31FE6565D7F53256F48140B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.418{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-18383-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:29.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76FA46F722626F94BF36B4C680C7DED0,SHA256=8F7C4CFA6CD18B5B2E6D622690A8E66097695B3573D5FC7226AE2D28F4575193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:29.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB7A1201F114A5BDB5D0BAB11270325,SHA256=7BD7C1E5555609F37B525BB36A4BEDDA62DD1D284F698376C9753CA804006AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:29.371{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B963C210A7C2F8FEDD156865CFFE029,SHA256=A11F78F31BB2B6D89494E66F2FA0D3C40E81813BD4C71E8E1EA8446577DA9560,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.885{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59135- 354300x8000000000000000118968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.842{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-20384-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:30.809{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7873EEFC2D507A0A471C9B0DC6FBA4F6,SHA256=5F4F6DE04F46532A31D694A368C7E8CBFC6636DAA25C43998D2D29AAB9CC7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:30.465{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B478354677E713565CF03FC3A2AE48B0,SHA256=349A002BE4AF048F6744363B5A048417C14342C10380A0FA2376C15FA6DACCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.302{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-22438-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:31.903{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6845F86FCC7B73BA0A8C8E1668D1B1,SHA256=40EB46143C79559D28365FECA91FB64B82127D1256B52376005E10E9DC11F13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0535E309BA1A1F51A9A0A1C47B8E36C,SHA256=9381EC4CCFA03EA3B505859BEA396B2C3F77C344C20F14B4A4B96CDF0B070150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.947{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.465{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:32.652{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FD771D9E1673DCBD211A1CFC25DFE,SHA256=2248F37987AE2F2072B25B8774D6C03435F4A57C6CFC0E8A9BC84283F549B205,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:30.998{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51651-false10.0.1.12-8089- 23542300x800000000000000085340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:33.746{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A807A94ABC9F17CDBACEFFE792DCC68,SHA256=7D5FF4595FE23992766C2A1D7C718193C367747E44F692384F3682FF65C20267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:32.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CEA3C4345BC87A79EAE36E3CF3E458,SHA256=A634C55B631E786685D8D7B813834458B60539971247E7FAE4474A9B1A6F41E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.779{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51652-false10.0.1.12-8000- 23542300x800000000000000085342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:34.840{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E49056A4E42C212D751C3D352F06B9,SHA256=B46D0E5674FF7F57544002243EB8DD27FB214A5EB3FBBA90C7A11D0035ACD25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:34.091{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16721663E3001D2B3AEA8A39AA8B587,SHA256=93F3A64586A34E35DA31193C89525042F0CA7281E3ADCA9AC3C64E5C0F3BC884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:35.934{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB60AD6FAF0B7E714589D77F0BE0C0,SHA256=2A26DFF2E8DEE440AA94F0A6CF55D9DA9CB5575E56795F36E585F61B01D5038D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:35.356{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69DEDDEE3B4344DDEF1902489993F0D4,SHA256=87B5147327F243A0F8F112DA1CF1436C7E67C3A1269E7FC25872D14C1D497C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:35.184{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B556A1F5403A93E2F0E3DB5C292B4,SHA256=4DBAE3CBA089885C1C67A2EBB97024FD1AC02A9AD1133553EB2175A6A019740A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:34.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:36.274{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FD03FE8B16B51645892B63331C4C88,SHA256=DF890880144764D91FC552A48BC9210BB9E6062086EF92C84297D46263C683C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:36.075{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4948B9EF0B8C1F7C67CD5BB05613593B,SHA256=11EF0F3DA29FFE63E071A2B514D5F50B2C3DD69DB406398582A155FDB24710DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.680{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818743C7D229EFAFAC14BE13BA7A325F,SHA256=7BDF96A114453F9906F5E65A1BF78D69A22076E3EEA6BFFB316602E57DAF25D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:37.024{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90932F70C2E7E40EC89C987BBCCC2F8A,SHA256=0B77506A4638A4FC69A74CACBECCF84918DE1B49055DA1F01F73F138AB461B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:38.805{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9367E95FADAAE387D506BEEA5FF669A4,SHA256=5FFA98E514845C35B2BC0BCF0063A017F70C45A63B00C6CF9200047F4B80EA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:38.117{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE0FFFAA7BE2674FA6BF2B3FFD4B052,SHA256=1FFE29B79B54158C012141CC84026C97B6E77D680F25E84C39B0B545B9FD0D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:39.899{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91500C5AB8B2B612D35F98E63B61F908,SHA256=8E4ACA71FEDD6556CD8C17B2E0CC9A7325922C942124227661FA7D836D624973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:39.977{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BB32B7166362B5A2C46779BF04146304,SHA256=F1DAE0ECC769F3CD2FDA8ECBE7E123861E8F3C6F05B6B4AF89509EB3C75D2A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:39.211{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F0FFFE5F25E513BEF8841C2A62BA6B,SHA256=F900CABF8D1FFB8893CC61B4D2A85BDDE31A70DFF5696EB16A2AD1F6C033049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:39.149{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0EA08FB59EAFE8E878F08E301DADF3BD,SHA256=342124D65731AB4C3A0A01F0E65FCC124253710042BACC5C9AEFA59F8CCEAC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:40.993{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CDA7C10F9EBF39FF33C4189D3860F,SHA256=741FF36CBC4504AE8160AF010DD99190DD2A15281A509DC45225AF411EF5E3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:40.305{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C807F92892B5F627ED6744F3AB0B262C,SHA256=2B2771930621945AA23FA31F85EB690F442A5F0FADF5F66FF62539FF60FDCB8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:37.556{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51653-false10.0.1.12-8000- 23542300x800000000000000085351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:41.414{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E745EBC50173235F0BF0616468A04B3,SHA256=2AB90B5B866BDD0BE30E0AF71A2A9BC0A1B8A2ED7B0F48ED4F99C93030565F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:41.727{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:42.508{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A824121BA4427EC06BC3D17B0C25AB7A,SHA256=0F60A6ABB406784F425224552656A74BCE90C3AC52475FC557B6AEDBC0DF70E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:42.087{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120C8EBC2E494E5A52F929BC1FFDACA0,SHA256=0B3573F10F8261B2158E4C9432EF93171BAABCC1D1EF900DF21D6A29732B6744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:43.602{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2547777D08BD471CA619A12517438BF6,SHA256=C367A21902CA4245E9F7F6EC2F32505FE6009E6B2A0F084A2F8E6F3A5D4B97F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:41.473{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000119023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:40.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:43.180{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C33049490E6AEEFFE78586AE8C6845,SHA256=0C82AA75B94AA3F1E8831CFE2D8497A8790565E3DBE2185CC68ABDE0FD083E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:42.791{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51654-false10.0.1.12-8000- 23542300x800000000000000085354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:44.696{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E970C1D72AE168AB268920C96070AB7,SHA256=267DAC323F7B650E3DC20848C842DAE8EF54F8752F09D3255558DF1194B14573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:44.274{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA9EDCF21AD6A1684072557BD88CAF5,SHA256=258B0873A9342B61EC51C3C36F8C41B8D5BFA2EFA5B64DEE0549C6C3831A8982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:45.789{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E04CBE0719258A0A3F5E6E1DD4CBCC,SHA256=DC6A8BC35E8A47327B422FE18ED1D3E883A4390FB818BAA0BBF74DBC242FF53E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:00:45.868{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x69a3373b) 23542300x8000000000000000119026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:45.368{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA35D336781C285CD60616446DC413F6,SHA256=AC91B18A527516CFD9F1BAF8C55089764243C7B2ABB95DCE889D3B07A5AB3330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:46.883{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427A1729FF6D40A07A53BA710DA509B,SHA256=F35320049221CA666D739249857F1B1A53CC13799AEA24DE65335E71611207BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:46.462{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9837A54432A3A6EE0CC0D0A424903B9D,SHA256=0649B4267B0B31A8D41D8DC9697DBA1DDE0AF00F85ABAE79F1A023912A04FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:47.973{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EEFA0AFA247AAF0DA9BFC93F9DF691,SHA256=F8CCEDC5E88D0838B3CE6902296C97F51A40BA46D4C611D17B040A28790B88BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:47.968{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-161MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:47.556{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B12DC1657C6C9F93D5A7B3894AA7AD,SHA256=461FD8694F9581C6B38928F40D11A753B40C30F3EE95813A4F1010C5682A2918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:48.649{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE54B5C96606A1BDD6C3161A487B2F4,SHA256=1F07C4F635EC2FE9EA7044CC9EBBD1CD54345A82B74F70221B5F69EBE806FBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:45.957{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:48.980{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:49.743{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389BEBA37952852B3B2C7ED8FC8FE89,SHA256=73CB99B64C98D0C481744658C9801654A830B4900C15B913CFABB674D2BF84E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:49.071{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF3F35FD1B56EE8327FB4D200E0B277,SHA256=F2BF2DB30D16CCE5E14A8EFDE7F3BDECEAA6EBDBA7571BE4E005B5646673D5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:50.837{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2779C1ECD1A67EAB3D402B4DC47D5EE2,SHA256=13EB1D0066135FCAA80245EC80AD605E88A6C14C04245FCABF462AF216CC2055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:50.058{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B24F5AB80B9E4354C9504C032EEA638,SHA256=D280455C9926F0EE12A14AF67350292F63DDF6BE890845F48A176452962F7B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:51.931{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3877C6B6AF7B0DC6F2AE18FD5E15923C,SHA256=57EE4DCF3EAFD44125D05BEA4265CB1236C2805F48CD36D2DCE92034141056F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:48.744{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51655-false10.0.1.12-8000- 23542300x800000000000000085363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:51.151{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF57A621F5FF35FC77456D45210F94F,SHA256=2155F4112F5CA68B1A41A3C70D56B891C2D77D8E06B23F9DC403A436AAF76B81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.746{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.247{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAFA28F9DA9DDD211A36B3BD3454105,SHA256=E443D09BBB6CD9A1F61A7AC2D5FC58B73E323099DD5A9883A78011C4534009B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.636{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C9AB1A570AFCCB8D72132F18196C45,SHA256=BF690EB24DF88E7675EBE4BEEE87ABA5EED73261276B15CF63BD52634E5A3138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.355{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7CF8735F01B7D474A110302A28FB40,SHA256=236C611DBC2DA1A60BA9B8889854DE197B26FCA0A3ABBC83B60F9580C972E0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:53.024{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EECC114CC53A299642E510A3AFF890,SHA256=44130874EA5233D4E4C062AC8F7FB376BB64754BD2DB32269DEB782D6A7C1E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.089{9531C931-4F64-623C-1A05-000000004302}19801816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:54.464{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC5AE20C41BEE3005800477EA8F7D55,SHA256=5342688F6477E06D1981AC89F297AB8DC3DEF9AB8CA82446AA795AAAB1C6829A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:51.988{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:54.118{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A679DEB43E5F57A28E04E8FE91134B,SHA256=735D803BEA4D1BB2077878D31681F52CCA86F5CCBD919666D84374E5864A12C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.919{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.605{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22516E253480A72EF0DFCE51CE36B1DD,SHA256=FBAEEC48A9290D3F2BB2A737E8D8468C057762BEE62CD4FD7E9AF8A4C4FFDBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:55.321{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F584921483F9DDB22E68E6F13F421C,SHA256=72D66FCF28DDE598DE76AE0A7EA90FE20A580A32920927C2D3557EEEFBE515CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.245{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB2D3C1E09ED362DAA7A552C15606659,SHA256=1ACD006CC778D446A6D95DA96FFAD57E687C8941EB80E67DEAA8592019ECFA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.012{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:56.419{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAD837D5F09A7BFE3C82F2CB01F25B0,SHA256=E5C6A44C29ED0B42B93C9D95CD603F2D7355A2118BF06BC89620EA0D892A3102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.701{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.263{9531C931-4F67-623C-1C05-000000004302}1880860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:57.513{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC160AFEC46B379C90D8267C7E6B1E7,SHA256=3857051109BA6BCAB5882447CD85A9151A87CC0AE31818C81A03DB59E98E8E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.528{9531C931-4F69-623C-1E05-000000004302}13202500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:54.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51656-false10.0.1.12-8000- 23542300x800000000000000085452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.262{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC9DA8457005904ECF4B384099A057D,SHA256=E6313B1B63347D910D29018EB6089A34B200D0EBFDCA4F277159DC64D9204BEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.201{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.997{9531C931-4F68-623C-1D05-000000004302}1088992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:58.607{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75FFC1F29F2E43A8FBDC02DED856B52,SHA256=D3027FEB50C3B8C601990A050BFEEFB056939F7D59962883D211D76C989684E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:58.137{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F54AE5F02F3AE4B5FFF40A2E55FEDE,SHA256=94F99F2CD8631CC1809577CFF3579EDECD6E728214579A11CF3CF2F91E8D5D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:59.700{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC51464DB3E94B4E7A2E5C1EFF3EB9A,SHA256=C4DCEF18A6247AEDB1471A5B8940366E1F6FF05D2D729C48E98188ADA83AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.388{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.231{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8BF568A2D5A3FD800C7E035E3FC4F3,SHA256=5B159BD2D2296559767AC36BE8409675858C553D3375A4A033ED0239648C55B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:00.796{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1068E5D16F053BB45EE43D393C49A91B,SHA256=6BB4524E50B16AA2F75DB5FF2BDF15EAAC1EB0F5394BA5096C59DBD869677F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:00.497{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54B6D152EC6E1F57D93C7CD6F038806,SHA256=AD6800E81DBF45219E1A13C3169105C823F277678682605FF8BA7A5B1DDAF129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:00.325{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25081E51429C09E103B7830FA3CC18A,SHA256=B097F3D1818AE9336EDC5159BA95F941F531D9EFA1D5ABC326B5255B81104C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:57.945{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:01.882{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF7DB81CAF8040B609AFDED921F7024,SHA256=6F97154F0B9F331D353F76C24CF9C7717B96451A510954D1C2316A1C9B609D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:01.418{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF434BBE3F04DC174E510A74ADA1231,SHA256=FB29CA276861A614C2F035B02E78ED02E55D56886FDF0BD718ED14CFE5CC83B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:01.003{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-161MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.977{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54CD2C4C375AE615070F9CF160ABCA9,SHA256=3D308545709F7FF4E9ADC23B6B7A4CFFD655F5ABDA5A87A7D30339F6B172BAC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.779{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51657-false10.0.1.12-8000- 23542300x800000000000000085473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:02.512{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDC1B981886BCE8E3B98799962A4377,SHA256=3D4CFADE4AD1DD966263087892D6E453D566B8D80BC6E900A5AB2A41DABB7021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.541{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.008{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:03.606{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73264A9688E454377EC9E049CF05CAC7,SHA256=31E36C8EA8559086E21C690412778C0D31C3DE7F946285187447416B59CFE493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.869{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.587{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E46E0376D9CA1A7CCF10CED3FFC2CB72,SHA256=FE84343CC5960007C43C3755CFE8E9BE8C0A0157D32B943520537C2A26D022FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:04.700{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19E973DA9D2FD947F3534465A653D71,SHA256=6499F9C29E0B77AD479DD0AB3261E5D12997E6DA4182D00E790EA060064FC68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.759{5F3DCEF0-4F70-623C-A305-000000004202}26766856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.541{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.071{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625EA5D3C36B95BA07FBFEA62D9EBB67,SHA256=D09D639F0FC69245983491E367FF7FD3A2FAB73478919424DF8497400CF26D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:05.793{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4534FAEE417703D260E25222E9E5748,SHA256=CEF9C695F1B85578929412BB0A96EFC87E908CBC1D9B8CDA852916AE1C3C132C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.337{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=02A186CE156B2298DBA5FF1FA95404D2,SHA256=E759800463865111B606F0B8FDBB84EBABFC9EBEE23992651A1913A9D649B145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.165{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD896851FE1C3B40D8E6602CAD2B10A,SHA256=A000E84D12D099BEB591D11CEBAE81712DAA2CAF4C208D4D2187F1A30E6F0003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:06.887{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F98CC0FDFA72432391E989DA80AC58,SHA256=1AF863964D4E772A0CCA83B7AF0E6A96C04093DCF9B831F689B75AEF5C053514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.816{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:06.259{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9CA571E4AA0194A6F4B5A3EBE1D28F,SHA256=29BD4C21466D36C637F704AD646DD3E95B4AEF36155972217F3890B49D748B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:07.981{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107560CCE4058084265BDD4E45554E2E,SHA256=C4636F508A60E503EB56EC4184FF036BD43B989B3F65409DE33F7874BFA99ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.524{5F3DCEF0-4F73-623C-A405-000000004202}68726888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.832{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.832{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.353{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DA0E27E4403AF4EEAFAFC9FF15451,SHA256=C1DD924D3339DE1BA1D357E59FD4FA6E3098C81ABC46DF04880358703101A7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.322{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000085479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:05.623{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51658-false10.0.1.12-8000- 10341000x8000000000000000119109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.978{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.477{5F3DCEF0-4F74-623C-A505-000000004202}4356752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.446{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD044C7FB35068D2CDAD9EC422BE1462,SHA256=E1DB75BBBC171E220B4F6039B48E9D1AB8DFB5C231A6A118250E66E7F7D3A995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.759{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977F7F631F10DF3E0E0674A9634A2333,SHA256=BAB5AA2D933629E57C3E8E5534353D8D0483AC3FB205B87ECA3E20CC9AD3E38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:09.075{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B756237DC99DB57F3BDAC2AD87CCBB,SHA256=68D6DB9D53BA1FD847F0043D7258C61CF13F2BC7B03CE5B72A083AE5DD0D494E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.650{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.149{5F3DCEF0-4F74-623C-A605-000000004202}65324472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:10.853{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08940048F06AB0E7C7BE6D279DCBF4D,SHA256=3856061E72DD1EA4541BAA82A13656EB3F83115063939663C85A8DB9C0CE728D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:10.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B8E02FB69FEA7B218D861076BDC75B,SHA256=FCD605AC85FF9A535A0C3D875607092DAB324F946A932201531E4DBEB1227165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:10.165{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EB3E86CB37CDAAF6F94647E9671AFB,SHA256=A23272BB36A0CA51E2BB20A0E14A27ADEF6E48531272DD7FEFEF67B7F74A1FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:11.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C35BC0D8F5B785F50A566FD6BB46E28,SHA256=E59C62316264D0E80A03FCD9997FFEE995038859DF64B916C39EF3BAEE1A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:11.262{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F31CAE5D9805AD33C6E4BCA3E8CC9,SHA256=B777954EE5C700713C68909D91E7E6356D3073C3BDABE2F31505BDEE383880F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.910{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:10.641{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51659-false10.0.1.12-8000- 23542300x800000000000000085484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:12.356{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008631DC40134B7BD4CF16ACF25F5E88,SHA256=972598BC083A1C0D68C628F0C4338C23E46AA386AF049DFCA3993B2EB7348473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:13.450{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DC4E481F0959A52FAF17706F19985A,SHA256=F84753956D096E24C303E40DDE74182696D7C79938B49B58DC2FE9559E717E85,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 13241300x8000000000000000119128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Config SourceDWORD (0x00000001) 13241300x8000000000000000119127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E24E79DA-871C-4F1E-B921-5D1DF27ADC35.XML 10341000x8000000000000000119126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.665{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.665{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.040{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4748F976B8BCAE798E7403D28D8BCC,SHA256=21FBBFD392660BA2FC628D1B131F1D2C608E4CE7098779620BCF563141FA7F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:14.543{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F204B5BA6CBFDC44F498175AAB33B7B,SHA256=50A920161C309B52FCB4AF663E156D41557D722AFD9AF88E81432E46A20964F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.134{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF510B16681497DBB4835C9B1A5162F,SHA256=D4A4662D2CCBCA37234F76743044A0B73757C6F567D4F3E059F616F8C2C15B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:15.637{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F50D7EE1EFE8672301229CADB9BB6CF,SHA256=9E1D3ED47D7682ABD5674BCDED39B82DA2A53CA107095C16F6468CC2D4BA68A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.634{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97BAD77B6BA014AFED5499518933049D,SHA256=A23ECDE788FB93E50306B4ACC2176AE67C4DB8BB53643216348CE9B478178000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.556{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.556{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.459{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c850:1dd0:9c7:ffff-64465-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000119144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.459{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local64465-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000119143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.452{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58168- 354300x8000000000000000119142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.448{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local60668-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000119141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.448{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64897- 354300x8000000000000000119140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.447{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64897-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domain 354300x8000000000000000119139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.428{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63287-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 354300x8000000000000000119138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.428{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63287-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 10341000x8000000000000000119137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.227{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D4E17773BBA978ABC0E5136DB1B9A,SHA256=E6A296BF7FAC67DE66ED95BBF68091B22C54A3A413DE9E27E266324E71023C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:16.724{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8314C4EF9CA2F100068C59B9276D34,SHA256=3D71358FB4ED3A512A41900550C2A2F22C6C3ADABD3568A0D7827B2A9087D874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.144{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63290-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.144{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63290-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.300{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63288-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.300{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63288-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:16.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DD35A57135D5DDFAC66BF3592DBDAE,SHA256=E0E49D87BF8C12A58A4BBA7E88EDAFD047404AF9490BE4FFF009FEEEB0C8CC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:17.833{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AF1D09B4ED054659A19BB19E171605,SHA256=D24A785CCA605D3A82BB37D6E00B33223B72BE070773FC62EEFAD262B75E86EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:17.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF76F4EFE504E609C1842D5ACB4D1DAA,SHA256=F2C2F4B01F07C92B3B45BE00C75305F170A3DE95DC0AF4FF18B56549A0AE50AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:18.927{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D5E4201B66CA76E341DDD13300D88E,SHA256=6924B518BB64BFAAD02B7E19982769ACB11FD1DE076A0B5345D49320EA55E9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:18.506{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62545F939A4CEFD610F74FB079605CE7,SHA256=30196E19AB3F6DE6F35ACAF483DCDC7F6CC0807389BF9C8C86F4D1177638BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:19.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924C130DF7C25A37BE78FCB6C9DB9C53,SHA256=DAF5B909019969466B073F26C8F8DD56940FF5350E4354A65AFCF68DC685494B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:15.756{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51660-false10.0.1.12-8000- 23542300x8000000000000000119158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:20.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635641054F56CC36D59FC2D8DCEFE8D8,SHA256=CA7A1DA43EB5479BC9C352DC245D5DB12A7E4B4F631A02C2794286118CD58256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:20.020{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF452FCB7F7ACD13AD3AE4A3FD1E0681,SHA256=8DCB17ABB0F6440BC015506E820AD1D8674A6CFD00E257BAF0684BF79D580BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:21.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926E222D70B9FBD64D6FEEBF0898AC72,SHA256=A42F5CAC61643A1BBE43B87FFF3062907CD2A654B605596CC812F42A9F76C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:21.020{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198248817B849D16210A3F6A4688C745,SHA256=CEBF9A1A4103E7D5A41FEE4EF06BD41DE6B0B68978D1F8025F01EB00370BFEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:22.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937D188DBDF6A5C900D5F25E3D0E0B45,SHA256=426E4708C8E4D243B9ED53BA8B6ECC5B2D5D8D35BB0F392AD29511D1E6AA3FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:22.114{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD97721345406CCEEE502F1D15F39A35,SHA256=89115CE2D9DD3A007A7228DC9B5AD74662744FAF2A31EB127B10E1231A41742A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:23.974{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEF5B5E52159FA086FE003FC720620,SHA256=C1D7797B286AE92248E8F22240A43351DD3FCDA4953203B6865EAE786D5B13E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:23.208{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286D5ED096E21FCF4E05C9E259E0783F,SHA256=7A3C23BCC036B7FEB70025FD35449AFCD6DD91A7232CF982A5AC090E8066BBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:20.797{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:24.302{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0870A0652EB3906E300931647253C5E,SHA256=A26E259EDC887707E8B7AAB68772F7542F0126FA8AA67E2190331AC184BF9934,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:20.756{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51661-false10.0.1.12-8000- 23542300x800000000000000085500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.395{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62563B14CCE1C251E902BB11AE109225,SHA256=D9097A91C663CAD8A4DA6515597BA7C2C64309E10848448B70ED69B98BEBDCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.364{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95124EEC18E29F318A828EAFCA5D6905,SHA256=D1C5E044CEC00D0DF3ABE9FAE0502D38C8BD514A562B089253FCBD37B39A0081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:25.068{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32AE429B93AFBED817497F6CD798BE7,SHA256=5A6F144E54D55673750CA824920D88DA898CD00A01849C796F0B1B9C3211B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:26.489{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834454A789CEA626D4E12D9083ADBEBF,SHA256=29C02FEDA4EE7735890D1C6068ED4E4A6712B9B56F661E1AE525A52A985E7180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:26.162{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F0689D546646A6140E3A8E451274B3,SHA256=2600F7691AB97D1A3E88A12F0335569443667AA8417D8C46BFE5E2CDED358394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:27.583{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0068D3F7E807BBAC7F5AC0EEC128CE2,SHA256=FA447A6AF587FF5C7774BF79819263AB2A5E95D507B7205789494FEE5F096DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:27.256{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D6D3874E57502DFDE8A026762264FF,SHA256=3EB503CCC1FC4F954A72A65D156793B7F17C569466743282F3F011EF0E401950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:28.677{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4A73B815BEF16A55FD5BCFA4A41A55,SHA256=42E6D18965332424ED9F51A8C94EC138292B0ED344B407E01AF560A6DB0CED45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:28.349{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8615DBA994A85D5EEB4D3C6C2CC000F,SHA256=105F71EBCD671962E9ABA7B0C568BFD56B810CA65CF1234ADD62C0CE1247F8B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.789{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51662-false10.0.1.12-8000- 354300x8000000000000000119166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:25.969{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:29.770{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5085DE0FFE84BEBFD3093D9D29D3FA4D,SHA256=22C165FB21BC34BBBA3A25BE92D90E093B075D4D26BC2E7527C0930D02526825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:29.443{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F805D24F51705365770C960B87AF5C45,SHA256=AEBAF3CA2FBF3A6B2E53B488C26D849E032F6DF038369FE0C0A643C0074FFDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:30.864{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D487F3E566986ABDE7345FCCB1314,SHA256=A07BB152C6A826490C2BFB0DCC55F10C443B252BFC2B978796DD59003081949D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:30.537{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B442B569B69FE88BE451DCFF39317512,SHA256=55AD3101A36FBC401559CC51E17B415B74369E380D594F6AF0D46EC8553EC696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.958{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C208AEE90013D0A3DCFB729EC2C0DD,SHA256=5E0F03A9DAD0732A7640F320173FC8B6A573C38113638D17DE55C1366F23608A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:31.646{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66397264468C3A575614CBF486F7E13,SHA256=BD510BA25FB739E24985698050AE9F6814F7D76733C3DA013F7504BECC242EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.489{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:32.740{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0960025BC174972CADCC4A7828AD698,SHA256=FEFCF5CD54AC16019C81F83CFF07DC54A6BA559459227427BC3EA514F73792A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:33.834{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38B000852698413D66FCA7B9F5B12F,SHA256=E5BF670102CE0EFA70BF8F9070B5F7888A4D36A1E11A280D64B58F96699BB2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.570{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51664-false10.0.1.12-8000- 354300x800000000000000085510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.022{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51663-false10.0.1.12-8089- 23542300x800000000000000085509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:33.052{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77FA9E2E6B1D548C463CC8C421B2EB0,SHA256=2CA866D3A859A8E26970672A3CD61454F6E35B60A2671E583419A96CBD30560B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:31.000{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:34.928{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A20612450A39B12DDE7EF8A0ADB9B7,SHA256=E2A200654FCC69F7D0FE7C7067D1553E2469CDE7B6162E797600492518B99D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:34.146{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAD3C923147489FEF35CA05A3B1C180,SHA256=652D3679F9E7055CB5012F4D2434DDF29D2C5F750A51F26151D5F2359128DCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:35.239{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B145AA6225572FF29F013E982D45637,SHA256=3B618DB7DC1784B5BB58106FFD19304CD020E0DB0C2F89B468A487668B1DEA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:35.615{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=114A00672C403EE017423F26D365EED9,SHA256=D3A43CBE95D7DF938307031DC311C1B91AACA913E9ECDB2CB06DD30B0B1289DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:36.334{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AECD7473738F3763A358C0FB2BA315,SHA256=AEECE48D7EE5741EA849F1744678D37BFAFEFCD0915277E36A8C5277166D6F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:36.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C487FCBA89AB9AF436EF9B1EA03062,SHA256=542E4498C41E51D5633076123204B9D22BFB9AFC404F8F5AEA35310543A628C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:37.428{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C72CD9A5E0B259C9D6C6FDD3345DA6,SHA256=A58DCCBE2B514727DB30104F8DC57F9548076E3E3F827E7780147295FB3F86D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:37.116{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73EE8534DE858290C7F610AF023122,SHA256=8F9F411F7C71A32606CBA8AC257EE143D2FDD0DE1F0E210A0DB822A00B1B0612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:38.521{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6369718FAA542061DA74FE691162127E,SHA256=8CB6F938263E0A5724C04317F0A2007690C5AE60F2539D9011E985B8841F6437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:36.954{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:38.209{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F97E91EBB19583E21CC3A5ED2DA9DC,SHA256=D35AAAC3CBFD78A1C40848A7C6CCED4E28041E83426B059D707909322DA8B312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:39.990{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E739F53B2E3208DEC3FD23CD23311CF7,SHA256=D3C8C504403F14E1CCFAA8E863D8700520D05547A1A0EBEC76ECB1755B654F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:39.615{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119361A3098C69D2EB165D9D32873C7F,SHA256=BAF6D8AE305A3F610A45C2E627EA5059389B0E590105D77F62C2CD21CB84EFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:39.303{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DD6F779F106279A2A58A42754A6D8,SHA256=7F1162A07227842D79DD5BB89F9F3323453EE036A59774DCAED64206228537CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:36.758{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51665-false10.0.1.12-8000- 23542300x8000000000000000119180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:39.163{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=44274B1636EC392E3229715F8BBB46F7,SHA256=3C9CF0AEFA0130A5F294C9C64C330DF34B1811C5C9186E98BB13A77F7DF9741C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:40.709{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9336F9B74F936CAA65F988304FE9E49,SHA256=8C78E365ABD91EF974AEE88A4734045191C5F62A71D7FED315E56274F7171C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:40.694{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:40.397{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C03CDE03FA10460C1B4F610045BC7D,SHA256=653D15751DE9A2F4EC3DDA4E1AB781F8C60671BC5BB0F2C7C82BFA7787DF1C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:41.802{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA1DF54370511EB74D6CCAF6751164,SHA256=713B8C6A1702891D15BD86C830F98E85119793D4EEBA85E7756666CCF58FDB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.756{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A32B6897E4280DDB3503DE67818CF,SHA256=E14AD04B0917539DCE48E6DA55F8999F0A6E998C475B062626C72C3366CFEC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.896{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AB74771213B9B3CAE3F0B8DE489FF7,SHA256=EE67B489CC2B667F8007A9DFBB571493491AC2D273AB112C63FC54EB57DF1F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:42.584{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBE93BDF4145AFAFCA0F8CE0557C2B,SHA256=15AEDC6FD7E5E9D72F3A10C09E033B28413C2D5BD377312F59CC7E5DF45D405C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:43.990{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFB4D4CEE1CD2D7C8D188D653051913,SHA256=0FC67C89B6D62CB0D9B9F218C4D56D8E930E779E14BC94FAF80B00C20BEE2234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:42.001{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.501{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:43.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCDDC83545E415614A5A1E0410A64,SHA256=22B85C6EA68AD90581E77D8E716EC393B1919889A8E7783D7598E7EAEF78CED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:44.772{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3A8801FFE869EEE69E2FD3F93CA07,SHA256=D59FC2AF5BA9713F4986225B4DE6D6C945455CC79578FBA9A5EFFA64331C6DAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.757{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51666-false10.0.1.12-8000- 23542300x8000000000000000119191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:45.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061B940A38A3523A88D84041B240EAB,SHA256=C459CF5C71E9557E752ECD2255B605DFEB5E36B0C07BCFD4C94B5F4447523AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:45.084{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACB1A9A74C576B78109644B47578C59,SHA256=EEE90BB8B574EB77A724548C265CE45815B05EF046EE9F27501F27354348BEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:46.975{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB1EA5F99BF6B8685139D3863277BC0,SHA256=72830BED8EFB89AAAC0E45AB359A3C20D8C1BC44831776F0BB6B7167552B2CBB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:46.944{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x8e0aa47f) 23542300x800000000000000085529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:46.177{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A06550C8766BD62E62C2F749E93ECD,SHA256=CAD36F83C5F17C623B9923797526FD222083A947745E26C1090DCC570C334FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:47.271{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105EEACD1B3719B6B6D80845A1A71760,SHA256=204897B43AFEB0242BC877082BECB71A6FAC3C6CDE9CB0DD9427AD6925861A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:48.365{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA8AC2FCF4DD431D8BA9F75C38BEDB2,SHA256=0B3FD8F3E1F948B3A4EC9D632EBFD22A9DC9CBB888C863F15E414AEB8E50E7AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:46.688{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000119194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:48.069{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302FEFE709721C66C30E12C22D736415,SHA256=AF0527E0EE3847BBB43FBC3AE97C88815FFE6105CCF4E6D67918F27665EC59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:49.512{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-162MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:49.460{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B03B779CA1F57A3ABD3B19573E42DB,SHA256=1CD1D1BF410800E16E1A910708CB451EA34B0A419F05F5C9D3D761F3763313BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:49.163{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E298AE0CF393FECA109034B2A8D55480,SHA256=2373AFDA229F3A8762BD047F5A3B6A280323324E5FF4BC089D7D1E126E8872B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:50.554{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F680AE5ABC7D01425521C14A4B2A766,SHA256=837C9738B9B7A682AD686D3DBA1DDA5B757955EBCBF9A2DB581C89C162F78923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:50.511{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:50.257{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF54E181263FA06B0A886E6A49FD1C,SHA256=ADE3121FE3D5D0753040C4EAF5987DCDA2989F5555C5FBAFB06C44E8E083CFC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:47.830{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:48.774{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51667-false10.0.1.12-8000- 23542300x800000000000000085536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:51.650{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654C1E809B701F68D8903134D35AA797,SHA256=16FD3DE6754F0D50737C9BD4AB769B18DB34F2FD6E73F9034923B0C973F3D7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:51.351{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE61CB09B11650D9377E55C234FE074,SHA256=9B05A54F61ED6C8FEFC4B1EB94B5F5075BBEB8460A2ECC7B2F98BC47854A8847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.761{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.744{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AD2C572E9E0E977EB29264E614F47E,SHA256=9F5FD381078CB5B9AE4926A75B635A7580E51DB914A948D4C4381A3500C840A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:52.444{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBEFD3C5553006F2BCC768E6F5EC76A,SHA256=D1AD32CB3303BE95DF084BFF2E97BAA7C4F670BE7BEDF3842D5DAE5BD9CCFFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:53.838{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26F46403F1C1348FB58DAC9FAB5967F,SHA256=573A29354A1E4DE5DB27075F73ADEDE5BA27A4EB8AB1E440764D1161FC71422C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:53.538{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B5F957646E4235AB99D37D13C243E0,SHA256=31A1F1AB7AB433B694FC49EA5DCBC03DD16398E486E62389D2A54B42490775AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:53.369{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AADC7D3C67BAE90BC84246CAA6B9409C,SHA256=1781E96A7856E1E7124467FB31FC49E8DCA27FA451B4C87F145068E7C9D9EB6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.994{9531C931-4FA0-623C-2105-000000004302}35882028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:54.932{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D1DC351853610DD1CD44F612161A12,SHA256=75C99220825FCA0BC8A50FDCA53ED523F4A657CEE832528E7024C6521E6D5430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC6DB5A077A03C599692EB03AD3EF50,SHA256=85A658628372EB4EDC991DD2572A594FEAE1980EF1BC63B8C549CFBC687AE2FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:55.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87700CBF007C72EEE8C4BFED1818067,SHA256=EA79F15130FEEEF875436862DCA9EB39A2C8D484C7A2AC6E315785630A3FEEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.934{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.307{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0577817C2B3827FB45A6B65D3B463EA,SHA256=326421748A2C22D3B6C3F51C8AF10E48B2A161484A108AA0860088F16BA8EE82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.026{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:52.938{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:56.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A17C49F1F6977FCF51FCC28222FA8FE,SHA256=DB13F5A5A8105EFDCDD1E8E0767A4793FAEE33AE657CA10DD6C6B67E7CA350AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.937{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.702{9531C931-4FA4-623C-2405-000000004302}26883704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.438{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.280{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD99F0752C1DFE7ACF68455623B040D,SHA256=07DECE15BACCAE2C1257FDA7BAD77B0C3C90AB12A999581AC991E7D89EBDC22C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.186{9531C931-4FA3-623C-2305-000000004302}7441896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:57.929{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D29067EE53A5A5D04ED3C2AB60F80CF,SHA256=7396DABF70DD24C39B2BCFECE46EAEE37EA448DBE1AA74BC891233B5E2C27323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:57.436{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4CF01E6B837159F89B0A8C63926BD1,SHA256=F1128A21C79620FEEA0121F6DAD5544ED60A11F4E1E942CFD2A995F649FDA806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:57.202{9531C931-4FA4-623C-2505-000000004302}39363604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:54.793{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51668-false10.0.1.12-8000- 23542300x800000000000000085628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:58.265{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B650FF81D7D2A9A671CEE21684C317,SHA256=FF72A0C343580A1BA8CA14EF33B78DEA7EA25CD8134005A4CCA3D5E44D9B0323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.406{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.358{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DEFA8A0A2391BD8ACCCA37FE9A072C,SHA256=90E8D1D71DA92471B3BD3DB91B9893D66DAA511C1E9D58123CDD0A83D1D95017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:59.023{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E5B57C906390CF6CD577C5E9E89FBF,SHA256=377D49062CAF82B57816921B3F85A310E981CEE559CC0A1634D65E4CC46B2011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:00.483{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD66CB7789A7E70E15E50A4C6F0B565,SHA256=2AF3EEDCEFF152C1CA6A57F8C7BAB51AAD4F553474A88A1FFBCC319044DF61D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:00.452{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD865DD694D92DEA4F481A56E94A534,SHA256=4A293EBD79DCA756239E24C66B71FF96AFCFA0AE940E3007E961B381A169592C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:57.970{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:00.117{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3DCE35F8AC6D07D09D4731A935A732,SHA256=E47E7D3FECC7E6880F096BFDD506B3BF24B77851EA2A05A4B14D01943477915D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:01.546{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CC552BACDB9A13BFA671815073FEDC,SHA256=2541D3E9399716A25E2DB2E8690FD987AA57B18723241F18A6FB5F8E9FDB59D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:01.210{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D858F512EDCB2D6284510A7092DE491D,SHA256=52A91172B2AAAE64BABF3367787DF1F7AD4DDE1624B2D7D5B8402CEF8648B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:02.640{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900BB89DDB9D330EFDA60183BDF62E53,SHA256=2AA77A788CB28278E49A2B0AF68F9C93D8FF00E57B332AC9D11CF5AD6022B71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.546{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FAA-623C-A805-000000004202}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.545{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-162MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.542{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.542{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.542{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.542{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.541{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4FAA-623C-A805-000000004202}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.541{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FAA-623C-A805-000000004202}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.541{5F3DCEF0-4FAA-623C-A805-000000004202}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:02.305{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64547307594B300E8EC15A0117B0418E,SHA256=2A5E95B6A1FFFE2D89F201C967B03A251C8C8964A1A25EF97A31F73F4D451172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:03.733{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484905202968C90C35DCC25DF31F1E7C,SHA256=1DD07C17427B4F952B08A808808A0E625DE02963534E118B308714D399985B39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FAB-623C-A905-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4FAB-623C-A905-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.791{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FAB-623C-A905-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.793{5F3DCEF0-4FAB-623C-A905-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.552{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B42EC5B646F89CF134D78C0357BDC3,SHA256=2F5328BF082E8E1BBF793566CA1B1E18A34FA23AE53C2580463E5B8F550C98FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.544{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.402{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639C5857E4CE390C824867D8658D6C22,SHA256=A6A4E7AF861F8DDF3677A46FF429865570D27BC38E6B909D04FAF95DF36DC20B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:00.767{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51669-false10.0.1.12-8000- 23542300x800000000000000085649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:04.827{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C222170B8A294CAC8AC92E9629DB986B,SHA256=C81DC44C5DA59271188EE63F760E42212A335CE81B5627C6330F7FF0D3A4659B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.702{5F3DCEF0-4FAC-623C-AA05-000000004202}60566504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.499{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B385025B6B19124E315FCDD2807EF,SHA256=FDA80DFAE80BA5487E563540B4E371CF8037BED3565C2C0D9DDAA8EF2770F323,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:03.005{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FAC-623C-AA05-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4FAC-623C-AA05-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FAC-623C-AA05-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:04.468{5F3DCEF0-4FAC-623C-AA05-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:05.921{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E218B5E1034DDF549A2DF62309F51897,SHA256=C02EC4B8CD1CBEFB52A0D36ED579C4E03D20D0E3E5FCD8BDB49AA29FF96BEFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:05.874{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F5C320AA51E81A53E22827B65655C608,SHA256=620C582A082275F376D9F37CF752B091F1FF7E58391A7C4204AD4B6A76BAEE43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:05.593{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61FEBDE17929086D05F3D462C7316DE,SHA256=E7706FB52E5115162BE649B31D29C16724BBB9F6BD9FEB52D41F144BC5CC3958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:06.686{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76AC087644D0E4DDCC6E1FEA63279E4,SHA256=8BF7914188BB77CF726CAFE26B79CAFE5B1A48291CC7B9BC0F8592E6708D132E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.781{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E16A9DC53FBEB986F0585DB4A43835,SHA256=A3C2A79E079294C74D2D14CC85A7180B7852A827D250C26B9E0B079B4C95ABE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:07.015{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CBD90CF8A4208F173292FC6D9F8FA3,SHA256=882906DE416FB0D3878976B442A0AA3E18C324829F1800DDA11B0F31125F82F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:05.852{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63301-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:05.852{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63301-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000119257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.531{5F3DCEF0-4FAF-623C-AB05-000000004202}3684944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FAF-623C-AB05-000000004202}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FAF-623C-AB05-000000004202}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.327{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FAF-623C-AB05-000000004202}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:07.328{5F3DCEF0-4FAF-623C-AB05-000000004202}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FB0-623C-AD05-000000004202}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4FB0-623C-AD05-000000004202}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.952{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FB0-623C-AD05-000000004202}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.953{5F3DCEF0-4FB0-623C-AD05-000000004202}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.874{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F434C35924B9F26CBB28626B1002EE,SHA256=5FD25FF72D0050149B62B687E600EAB1C53F326255D90F644A7AC2D42B2D93D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:08.108{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB37D134738FF7BD17165B62505DCDF,SHA256=A0109D9B58D7D0AEE24865A68D85D5A5198011F054D19447DF2DE01872FC9CB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FB0-623C-AC05-000000004202}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FB0-623C-AC05-000000004202}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.327{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FB0-623C-AC05-000000004202}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:08.328{5F3DCEF0-4FB0-623C-AC05-000000004202}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.968{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FB6C5840A08D89CEFA35A693A3A61A,SHA256=C00CBF846160206C0479C77C1ED927D3BE8BA3E5AAE3FC9582DC6BA6950BA653,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:06.610{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51670-false10.0.1.12-8000- 23542300x800000000000000085653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:09.202{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0A6FD934845F2FA407D6B343B38DE5,SHA256=21F6EF708FE0844183FBFA73FC56C66172F47AFFA2740B896C746BA9A3DFCAAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.827{5F3DCEF0-4FB1-623C-AE05-000000004202}5936628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FB1-623C-AE05-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4FB1-623C-AE05-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.624{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FB1-623C-AE05-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.626{5F3DCEF0-4FB1-623C-AE05-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.140{5F3DCEF0-4FB0-623C-AD05-000000004202}48004284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:10.296{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4ECBD538D83ECE4034C0CACF7DF5A1,SHA256=92615F6A550D57B60501C51662EF0E6784F39438BA29909A0BBD33F6BA4E8B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:09.009{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:10.015{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC5327F9509E078C4BF5E4C3A29F8F08,SHA256=EB654D87B4EA8BB3217F68249C13AD583A814E72FB4ABBAE6E96DCD85CDC89A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:11.390{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E82DE9734CF4C7DD24F4DD598573E0,SHA256=CE76EC3D00CC0D18F19140855BFCE11B6784197662E87FAE4F027408BF4837A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:11.061{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7651507759D14017AFA1B6A4D0468A41,SHA256=FC7D6340514EDD90A5BBBE313011DCFC12F0BF774DB401564693EF6F200D66D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:12.483{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBAE6ECE53A2A530BE87D7570A0A4F5,SHA256=8ED2A670AF3797ABB482F0E4BBBC8776FF322F6E405224EA4DE73777A7A6598B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:12.155{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4418956CB4849F581FB70A3F3C0CD724,SHA256=2050DE127133B49707BD3118FB701202356F5E2915F121702D942869A00CED18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:13.577{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F701598ADE4AF7DE527494B164C1D562,SHA256=13775347F0B3849A56ED93CA96736EA9A0DBBD699EBC6D77DA7C1D525537F98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:13.249{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C71B42CE8B539616A8E762F976C7BB0,SHA256=397D66E0A1F54901C86338C41CFD05A8C5F0E6864ACC34E04BE9D37E6754D2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:14.671{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9757CBD34AC45D4D4AE34928E0703A,SHA256=7E3CC456D988E2F14EFE9AF312DFF66853E334A1F6FA6E4A0D67EAEB4AE2E5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:14.343{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2FFC5DE9BBD8E6954C491F359BC9F0,SHA256=FFD3CEBA9552E81DAE133B2907FD6FAF7BC21801C287AD0B69D9FCF7BEB270A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:15.765{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71AAF4A1C730931F49E35888208E377,SHA256=EDC347D53584AA827AF4A2DDE4BA2B50464B16CB916876184E9E73506D551A9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:12.643{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51671-false10.0.1.12-8000- 23542300x8000000000000000119295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:15.436{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA80573C89CEB0EB4ACD66AEE395B39B,SHA256=4740FA4C0C8B79EC9CAFED8AE0F0482FB6591CB791F0B630B9AD76E9233FC34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:16.744{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C0355E4D3F7C8DC7F881B07B590747,SHA256=BBD1BCFA442623371CA23609FD098ECBC49C89FBC138DEB5A1923A17FC643E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:14.805{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:16.527{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51386305CDB3E28ADE9DAD5B018BCFD4,SHA256=E028BA0BE579A14EB3CD97E56A7BE6C9A409D7147204E6A0155AA548F9EBA891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:17.838{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B839CA401848FDFBBB747BEF3B05B8DE,SHA256=069269E98A0CCC02391461D767097F1CE8CC54D4699F6916487F34BF10AB555E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:17.620{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2300BB733ADC630E1DB8CEEB4AAA691B,SHA256=3377981BFBE809FCDF74006C293D9A9D0E6053C3E807EBBB3762059D1CD0139D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:18.932{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8321DEB3E14467E2DE6E2A0DE97811D,SHA256=D001D16C1C3C3D77D9B701935070D71764EA3B9CBB31C89C83018DDE2C36B85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:18.714{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B925EEF8197614E82D6500AECA6CD458,SHA256=C43AD0634FDFBAB196B5434EB6B69D2DEEF78A878F59BE0310042BB38E125307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:19.824{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39A8043A201EAC9F5427EEB307DE866,SHA256=C0A2FDC0D1A3F04D4278BEA6771E8D8361EBFEE098601309B7B42C13D243454B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:20.917{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE488271B41ABD70058AE8A951D1A177,SHA256=15333266F07D3AA99D2BDACF1232D401551A341DD4E747A926EE81F8C15C0043,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:18.668{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51672-false10.0.1.12-8000- 23542300x800000000000000085665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:20.026{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FB2C451AC8DC24529E23D565EB9329,SHA256=FD008EAFDBE60373B9BF159C2440304F74F415F623AD7FE486DF9787BF495B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:19.974{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:21.119{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1F5E57376F0CA313941B33D56BDF85,SHA256=46E3CC950C8BAA3CA98EA691AAAEB503AA68AD71A07D7AAE9CED2C96D6A41D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:22.213{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B534E1B0D945A276790C866EBBF795,SHA256=3D0BDDE7C6D00231B2AA5C95B988EAFA0B862C5B57730521EEC1FFA8A5C3966D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:22.011{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83740D5D90CD8A5DED61CAC5529B46F3,SHA256=84BB34E1090DD55ED2FB9516DD84DAE820FFFC0898A3C9F4EE187A0680A8297A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:23.307{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC16734AB4C714054D31DF9A8BADEBF6,SHA256=CDEACDE36F7D246CD83B9C68A44920761AA706CC0DA209AD1614BAB21C8656C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:23.105{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D8213EE26661B634210851AD033548,SHA256=217159D823EF43A833DDF541301DC09F07A289B3809098510D3FB3E6AEFF5401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:24.401{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311069B774B592D9EC57F38348A227BB,SHA256=EE9A36BE66985DA92D8F927A4B53533F152197C56B6F494D378C122D3AC7CFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:24.199{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C95DBE39F9E634A0AFAC768EE9B9FB,SHA256=D1A026600C21E9C5D0635A20A865A8514F2E299DBC735F28A4BD5C56D7DC8FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:25.494{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34BB54B283276F3BD9BAA55AA796E89,SHA256=B8F0895112D2F39DE49F443244B7AEDB722A83990CD6410B7819E2AD980249D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:25.463{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75481120370526F7B7DDD3EF07595F1D,SHA256=FCBCFE55A7FD2E4A722558A79A14C090DBFA46B04892E51C7304130F86522F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:25.292{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55197C8B3AC1917862D1EC5340C6220C,SHA256=E58585709528E77B4C4A6605F1E03C6D58326773007F36A5B4CD9385497B2EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:26.588{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0FD17218F57137ACD1EEEE53632107,SHA256=68823705EED75D7F6CFB05EE5E706C0B1E68A218323658A4C1663E72606BDABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:26.402{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C12D2941BF7BAFF6278B680424D9AB6,SHA256=FF7E2B1890AFEF146B6A3BDEB98DE352DDCCE5AF219C7E7315FCF9BDD64C80A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:23.731{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51673-false10.0.1.12-8000- 23542300x800000000000000085675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:27.682{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5243AF59C56E95C8DCA670C534D2899,SHA256=15D91DE33BFC7D41EA1102B3FC2C6EB0FB59EA2124A1D55C51DBCE011D377297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:27.495{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B4DF68569EFE531B81946669164076,SHA256=407884070CAFAFC6929CD8B8769E5A87B100E88F213E1DE1D4430AA4A65DC744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:28.776{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45D4FE004B86BC2CEBD9D9AE931981A,SHA256=597F85F033EB1DDF00B134A097941A75638B2777F10F2F9A633B18821AD262B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:28.589{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04081D0E1D4CB5AEF5D39E5563DDDE32,SHA256=5F388CDFF87D2293C2CD0B97CCF6493CFC376E1E277617299B7BF52D33CB6D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:25.989{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:29.869{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1F4B086ACD5314B000CE2DD66FF33,SHA256=EF0FE917D4113C54B335612946D07F94093FAD72B1C7956A0DCA3912A93481B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:29.683{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF95E8512600AFE972D28A0580BF14B0,SHA256=BA2FD0C09B5CEEA7915CF7BB4494C1D1C2CA3CF49840028A9E4CA7BE5E1C0113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:30.964{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FC3F1E7CF340498CD1C9D489DEFD9E,SHA256=F9E2C854735C3C647981CB66D027741ACFDA0938694C42664DB5368F712A3B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:30.777{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D8B2E5D8F0E6ACD232F4C9D6076D9F,SHA256=FF0E81E725DC13BC280EBB1233EFC9318E8797462E62222EF22403851DE1A3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:31.870{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8017D4610C1E2C4E964E350BC597519D,SHA256=5ED4A35CF94198452F6B7E6FD146CC771730C0D545C992B5A2BC7BBE494D43E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:31.510{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:32.964{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AECF97C7CC0E8649B42B734EA758839,SHA256=A8AB5BEA009D7A5A1F318D3368FED2DF9883FFE2655A90EC24BC29BA3C59D386,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:29.715{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51674-false10.0.1.12-8000- 23542300x800000000000000085680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:32.057{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD0FE0A4DF7306BF70D146F501C3BDE,SHA256=846EEEF04473E461755AE671527B9D86EBACA4E115AF9C9B9258EB9D3FEBBEE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:31.043{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51675-false10.0.1.12-8089- 23542300x800000000000000085682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:33.151{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1567F8CD7CCDDF032291D82681E9929,SHA256=09B13B905507692405D0F842089FC8230A5CA1D1E85ADFEFE9313405EB4AE5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:34.245{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBA4C25CCE24BE3AFF30C4666A4EE29,SHA256=2EEBFE1E9E7352054F986DF2126C0C398022C183A2123B15F467BCF96E23B618,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:31.864{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:34.058{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521016A9C80E6A0AA34C84D5D6DF8E9E,SHA256=E3D26AD3C5B49166B4D6CE6F75AF04C4D58C22F7713FCCB79A6A7D0490FFBB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:35.338{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4ABCF16CA3A85EF27C6C47A8221030,SHA256=C31B3A991DECE7104521EFB007E05729ADFD62DA1EBF5505CBFEC3CB3C184B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:35.183{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A7A98E37FC0045FBE3A90962DAD0B8F,SHA256=C5F562ED1EE95333B5B5ACA73C11D82E25B982ADE55B928ADA948DF4E3AF6CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:35.152{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0707DFF26D9A8215F52551088DB33957,SHA256=EB12B5F37A88B5031ED4459A3824ECA29DD99C6EC6EABDEDD4050C1395965BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:36.434{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03DE29C17E95F9B4E0BC89A94314B17,SHA256=B07B022106AADE67F01708C526E67DDBB2871A2754A571C19D0DC03B61799F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:36.247{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A2805FCAB169B5EAF65B36FF166604,SHA256=1870FDB4B457F32178987BCC1F63098223394DD6AAC78C709B5D67B3285ABD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:37.527{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F647D053B11F47B6B73AC36404BBD9B2,SHA256=9C4AC46D8E2DF86A21D3B6A1874757CB7DCB4C1A546B530D476778984B9AC73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:37.341{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B899E523930F45CE84F5BE15F30648A3,SHA256=0E8405864FD952768D7C4198F21919491FC5C14A9D249B00030501A4E556BEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:38.621{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD42742ABBB30F5F6AE794CE4E68F44,SHA256=41854CA4F88626127500708453938C4065230AB793844F525A6E62CD4CD708FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1860232D4117BFB0410CE9E54ED9D0B,SHA256=1450529BD16B98E9B453AC49DA6F9186C18B359517060845C1877BD066F6875D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:35.684{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51676-false10.0.1.12-8000- 10341000x8000000000000000119352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:38.248{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:39.996{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0C2FC38E6DC044680BE49F36E054CDDE,SHA256=8154B24FDD18E870DF8C38892618C5EB3A802AC21BB55D656FC558D652E133A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:39.715{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B55F0A03410DBF1E0F8C2B8AB2E49CF,SHA256=5F4247D9B1E073E7F53715731F4F280B4C8E1CA69132FF44F68367C400515B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:39.763{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313412130FDB1E9BB6B8C23D69AD1195,SHA256=FA3ECA2A35B28DD7BA0224B88DB1E3EBF3DE71C7B7D77083FDD5522C28BF74BF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a8986) 13241300x8000000000000000119363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f66-0x4afce2a6) 13241300x8000000000000000119362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6e-0xacc14aa6) 13241300x8000000000000000119361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f77-0x0e85b2a6) 13241300x8000000000000000119360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a8986) 13241300x8000000000000000119358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f66-0x4afce2a6) 13241300x8000000000000000119357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6e-0xacc14aa6) 13241300x8000000000000000119356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:02:39.278{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f77-0x0e85b2a6) 354300x8000000000000000119355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:37.852{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:39.169{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=087FB5C40D7831410F8779F3F5BBB697,SHA256=5438662F52E949590C29C50C261724676959293BDE898D8EF0638814631EE8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:40.809{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183ABE26DE202567EE8A1ADBAE4BC6A9,SHA256=D864E5D6E68BD2278EA22F730FA95211BD7BA118E113FDFADE5B706156783AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:40.857{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B045359C9AF2B4D6121AF362B9F11C9A,SHA256=060020EB97BA3A8CB8E83E78C349D61EF0CE9B6E208EDD70CD475FFCB837EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:41.902{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858F559B21B225DA7D78F018F571A0D8,SHA256=97DCA132CA458512E1B31D2C453FEB967BEE25D0C5B60498CE724FFAC439DF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:41.950{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010390B9B84540799BE5BFCC65231815,SHA256=C1413CB62E5984A656AF40C1BD9E013A6065B4145E51FA2F93D5625633D9CCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:41.763{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:41.763{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:42.996{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1ADD95CE04D4A405E7194F0BA042FC,SHA256=6F033401C9B6947F42464833348F7ECF93DF8633D8D61B307D09794470C40B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:40.718{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51677-false10.0.1.12-8000- 23542300x8000000000000000119371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:43.044{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BB8129E8691B9F151ED6707B00529C,SHA256=95BF8122637F934D9F481A4D743067849EF6910965235B4B97DC774CC84092AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:44.090{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3B3DC5BEF4F2631CBF9F3B699253C1,SHA256=CCE1083AE2B37AF8B6187E77623D8A9A613C13671CAF0CE6813EE16EAEF04E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:41.522{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:44.138{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F775DEF73A1E2FA0F7C5202618757F,SHA256=15229008FCABEFDC14453D6803211769319DF6FCCD0C45ADCAB4BC2B95DFA0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:43.819{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:45.232{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0453375299742842995A7409E413E48F,SHA256=F3F5387D69C49D1CBCE06957B9CD872F5A2423A2A8F6AD670E81B8624FC0D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:45.184{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91634A9FD6D62CF324AF3FF6AF600B1E,SHA256=187BA684A44DC80D39A34ADF9FBCC993495DD65A6A600A80CC94311ED3B86ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:46.325{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B9A31A9A68E733408030C30541D8E1,SHA256=830254354BAA81C7EB12EB2F238358D1837D6C07D8EB13606F2EB1198EE0C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:46.277{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150E16BC6A5E2320379EF6D6A3A76AC3,SHA256=003B3032BB42226E642FD7E37E7A55E3D30D26743F0A51506B3309D86C30B177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:47.419{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84196033AAD536F3BC4C5C328879F9B,SHA256=E23F5506BFA4CC84C717078A337BD5B9203CC95A110CD32F9F662FDF6CF09D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:45.795{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51678-false10.0.1.12-8000- 23542300x800000000000000085699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:47.371{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6235BDA1DC9498486377138B082374,SHA256=BDA5C98C048D4150691EFF2BF345368B03273E280D6939E85D8E0F41B177D3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:48.465{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCF583EF264831A5C19ACAD4E6FA3D3,SHA256=EE2445450B329A81FBFDE00F3D111A12F0F41190739FB9FF1AE382F08BAC87B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.575{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.575{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.575{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.560{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.560{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244488C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244488C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244488C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244488C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.544{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.528{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000119391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\7-Zip.lnk2022-03-24 10:58:20.241 23542300x8000000000000000119390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\7-Zip.lnkMD5=CC2EA84C5CF3BAD9EA6161D57EFDAC37,SHA256=D87A0283C386113EC0F72EAA9EC30AB402848B7C10DBB14DBBEC1F8380A8C036,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\History.txt.lnk2022-03-24 10:58:20.225 23542300x8000000000000000119388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A24F03CB24E31E3B892FD16E2F7EA1,SHA256=739E0939424D6CC1E5068315D8B36B6BC8208E32A3C46BE8D32FF7F255A77F96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\History.txt.lnkMD5=BE6F49BC5852A8C9C09C47CBDD136817,SHA256=2432D68A22E57874DCB38DF4A3B684BE94F0806F5FE4EE7689C087531B3E96C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.513{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.482{5F3DCEF0-28A1-623C-9400-000000004202}50244504C:\Windows\Explorer.EXE{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54 154100x8000000000000000119378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.487{5F3DCEF0-4FD8-623C-AF05-000000004202}6756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\History.txtC:\Program Files\7-Zip\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000085702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:49.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C6F5039569FBA6FB3DFE12E8874A1B,SHA256=E604E4B38B32CD839414416813D7C2295E103383A812ECB8AE56B3C8612FC40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:49.623{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71336C63A68E107D3F872384227F9530,SHA256=0CC1915BE8E5F01AB2C1CFAC91ADC9F4121581A243AF0A6603038252B1C47DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:49.513{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0595CDBD7AA70286B30EE6366BC85A0B,SHA256=134694D184A8DB128DD05862A5BCEC6978DB6E9925E68CD37B01B406CD0DEBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:50.655{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACD47499BA684765086BA8F13AE2BEA,SHA256=F5980CC25BBEC48875152FB5C5D199CC23A408F1CAD324B5CBC9421BFB8661F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:48.901{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:50.607{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D527E57E3AEB3E59CE6B2B9AB30DAB4,SHA256=4DCF6D8B8DFA1DDEC754AD4ED6253F98B8DA968BD1F131E615D88E213E837176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:51.733{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDC3C964962F2244753066A9EDE535A,SHA256=20C9EE0484FC99D36811235E42A40B73BE679B34A0795625016A88C543C74907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:51.700{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B4A88B6F2684CD872852EC74A318D4,SHA256=1DED7FAF7DEF2F8CADAB5EBBA3A2FA4B133384D16D6014ADDC4CDEBC9F5C8F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:51.032{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-163MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:52.794{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2766115E14994837DFACDD8A589CE9,SHA256=FC1CD8B7F7A54E4A601B7DB47E9A007C4BDCE8A4B57A9F1AD2248F3AAA230C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.812{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C42618902E89F8186A5E85B58231399,SHA256=B73B5F6E5CE1814836978B3655277E7B6E09BB89B44782F48C13F0BDFCA0F251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FDC-623C-2805-000000004302}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4FDC-623C-2805-000000004302}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.781{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FDC-623C-2805-000000004302}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.782{9531C931-4FDC-623C-2805-000000004302}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.560{9531C931-4FDC-623C-2705-000000004302}30323576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FDC-623C-2705-000000004302}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FDC-623C-2705-000000004302}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.277{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FDC-623C-2705-000000004302}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.278{9531C931-4FDC-623C-2705-000000004302}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:52.046{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:53.888{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB4E5AB0E9E54C2E5270A77105CE5A7,SHA256=4B18F409AF4C3FCF7E180DCDB3AC30EE262AA9CE8668EF5F8B0C401E1D56B9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:53.921{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A056E7B243BF00582FCDA6B20A54E6DC,SHA256=0BB9404FC57EB09DA26D8ECE2B2179E94066698B6531C6FA61B872C01A7975E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:53.437{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB3C741DFFB934D77E465E0B4233A5F,SHA256=6535DCC2406FDECD10F05495A509CC09EEF0441BE2D0C48B05CE330F605DE8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:54.982{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7549DBD9668B536CEF39D2A9AAD0AE,SHA256=351EF29358833193F07FC1E16D7ABF71BB8A9AECC8875685422C1686F6EF8D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:51.732{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51679-false10.0.1.12-8000- 10341000x800000000000000085765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FDF-623C-2A05-000000004302}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FDF-623C-2A05-000000004302}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.952{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FDF-623C-2A05-000000004302}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.954{9531C931-4FDF-623C-2A05-000000004302}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.593{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1A2AE2EDE89D3B0E18A556E990FCFE4,SHA256=06BD8DEB6F6A07CA84281EAA41F920F3C77664E87B7626878D4510B0D6570494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FDF-623C-2905-000000004302}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4FDF-623C-2905-000000004302}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FDF-623C-2905-000000004302}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.031{9531C931-4FDF-623C-2905-000000004302}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:55.015{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6554F863E7E2F2A94D52B0A0FE279C80,SHA256=3EF76C0070CC07958D39FCCCE20286AFE4898716C76433F554B44A3E16B9B0E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.815{9531C931-4FE0-623C-2B05-000000004302}9441260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FE0-623C-2B05-000000004302}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FE0-623C-2B05-000000004302}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.565{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FE0-623C-2B05-000000004302}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.566{9531C931-4FE0-623C-2B05-000000004302}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.425{9531C931-4FDF-623C-2A05-000000004302}19762676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:56.393{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F31B99393A6B0DB45FD9AC345AE2D5,SHA256=FA1FB08CAB547D8DD7EB191E0FC8FF9B7361BC8944B0F94A6054B1D610A4ABD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:54.850{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:56.075{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C079A6514197B23D5C344F234B847EE0,SHA256=636AEEE229CB7E23405F42E22FEF9455867D9DED2E7C387BBFD595F7BC8B4828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:57.175{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2D52C8B957C8D849CA06DFB50CE781,SHA256=CF02751373247CD9131D16CB02CF24AE0A4B9DC20564CD7C8F43A1D723817079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.315{9531C931-4FE1-623C-2C05-000000004302}36121656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FE1-623C-2C05-000000004302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FE1-623C-2C05-000000004302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.065{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FE1-623C-2C05-000000004302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.066{9531C931-4FE1-623C-2C05-000000004302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:58.065{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC06F038981BC3AD2216953AA3D82C7,SHA256=5D3A86DDCF638B51BD9F60C1309B7C8A9951D30235AE29014EC9ED5DC87A979F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:58.269{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE99A6F9EF833F67B5C24207961595D,SHA256=49E8BED705A6346435ADCBF67DBF5CC84C03737AD69E9810CA48D90096ADC09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:02:59.363{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569D74923D052B5EE50FBF8048462888,SHA256=DB35AF0A7CF42199452FFD48D8FD24FE4B595300DE42E7E77DA58A1EECB9EC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FE3-623C-2D05-000000004302}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4FE3-623C-2D05-000000004302}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.409{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FE3-623C-2D05-000000004302}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.410{9531C931-4FE3-623C-2D05-000000004302}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:59.206{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D494A64835539CC9BE7631224AF218,SHA256=09605989393A7291BD3BE81068CF7AE9638DA11FD45DF0A4DEECFA121FA5BA05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:57.692{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51680-false10.0.1.12-8000- 23542300x800000000000000085812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:00.567{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A34A5ABF1094CC5C3A5CD505779956,SHA256=F4162EA432B320F26C9C6195ADCA0C7C1C4B2052F358B4B07BDD4FC868AFFCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:00.300{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CA71438C11795E31C2E9127B7ECDCD,SHA256=45C900437EF85A8A0CA64EF1C1FA56DDA84E6D2763C4462C6343FA18B2443F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:00.472{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2CC98D606B74F53F98062854AFCA1C,SHA256=D9668F197EC5BD83319C649644A6E0E461A4FF940709079086101B1A1F27C75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:01.393{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DDCF2A5FB9CA4920D50FDC1E4795CF,SHA256=DB67A44AC5E7B85158E1FE2A001CE6F0A5004E422BE208A39C01C0C80EC0251E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:01.566{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547DB1027A3301E442F44596DB956B56,SHA256=BF0E9269F5648C5B4DA30AEB46794512066733A49FFADB6AC2363827D22EB464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:02.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D88AFB1652FE578AC6CDFC22F845DB,SHA256=39CA5DCC5C4FF1BD8A114334B23F15A4E871130C8B5E9F05A76697CB71EDF471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.660{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC105CFC46A0B0A4531A48179D698981,SHA256=601356104EA5B8BE28A0C0FF972FB864A75CD7E8469FD1269A178BA7C625BBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FE6-623C-B005-000000004202}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FE6-623C-B005-000000004202}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.550{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FE6-623C-B005-000000004202}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:02.551{5F3DCEF0-4FE6-623C-B005-000000004202}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FE7-623C-B105-000000004202}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4FE7-623C-B105-000000004202}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FE7-623C-B105-000000004202}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.803{5F3DCEF0-4FE7-623C-B105-000000004202}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.756{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EEBE0E1E9C4E20A0C4A6B6B960F1DD,SHA256=91EB8371A6C22AC3126CCEBC3E063A891EE684F7FF4F9E29E61F8CE9B809F5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:03.597{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D5D8FD7460DCC5FB21B76A24A56B26,SHA256=A1765A7CF794ECF4025568130FC90BAD8B7E503F055B8D4AFA804684FE886EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:03.646{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92A14F7071F1D6769310897AC2CC0FFD,SHA256=286EF1077DD4F9652D9FE24B8062EA2907C7226649FE92137E7E90FFC0EB45B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:00.887{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.834{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F7B3F0BA5B9CFEC89E934195879325,SHA256=2B123A2A2FACEF6A739FAF5F95AA9FB9337C7EF92B1ED9C6FF90F2C94BA70983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:04.690{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD6D03295FA99554B00A677C2B090D3,SHA256=2A5551F6418B9AEEFF166AC84DF3CA124CBD143A35C6CD594F481D5A8ADF4EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.646{5F3DCEF0-4FE8-623C-B205-000000004202}49686912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FE8-623C-B205-000000004202}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4FE8-623C-B205-000000004202}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.474{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FE8-623C-B205-000000004202}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.475{5F3DCEF0-4FE8-623C-B205-000000004202}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:04.072{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-163MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:05.930{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C43A77CC3B1815819417D859B253943,SHA256=2CB214E185440A5EE7F9CA32D93EC9F531B62382C238C211197D5CCE900FFDF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:02.740{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51681-false10.0.1.12-8000- 23542300x800000000000000085818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:05.784{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416F9AD4544813757A0E97507A62567C,SHA256=1FD1FE33823FD96BCDAF176299F3C2BBA6AD5CC2B0C6D5B434CC35B68234132A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:05.445{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E280E3B4916F98BCA1B848154D9F7779,SHA256=98D7E7F653120F372B325DDDF67F558C76182A5D979A9E6D45193A754FBF34F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:05.086{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:06.878{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD356B0D945074E2002771739E635356,SHA256=445CC0CA3B926D0ED00A206B740D92071ADBAC5ED31B1FAC421A4670B8D10D75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.399{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.399{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.399{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.384{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.384{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.384{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4FEA-623C-B305-000000004202}852C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000119457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localEXE2022-03-24 11:03:06.352{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\Desktop\doublezero.exe2022-03-24 11:03:06.352 10341000x8000000000000000119456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.321{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.305{5F3DCEF0-286D-623C-1400-000000004202}10886584C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:07.972{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEFE3644D231AB00BBBD45F1B96B2A9,SHA256=ED72D22028BA939FAF5A9DCBC26071846902E674E3AFA4311C2D4FDA14E76CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AAB96A302B73FBA782511EF74A4E48,SHA256=31B572494F4AB6618092EF07610A98487ADE26CB02E10018C7BC80C02C6F2069,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000119515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.758{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe 23542300x8000000000000000119514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.743{5F3DCEF0-4FEB-623C-B505-000000004202}5652ATTACKRANGE\AdministratorC:\Users\Administrator\Desktop\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000119513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.665{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000119512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.649{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.649{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.649{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.634{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.634{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.634{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.602{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.571{5F3DCEF0-4FEB-623C-B405-000000004202}65483944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.540{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.540{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.540{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.540{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.540{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.524{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.524{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.524{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.509{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.509{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.509{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.509{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.509{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.494{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.494{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.477{5F3DCEF0-4FEB-623C-B605-000000004202}62761040C:\Windows\system32\conhost.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.464{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4FEB-623C-B605-000000004202}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000119484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 11:03:07.447{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\doublezero.exeBinary Data 10341000x8000000000000000119483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.447{5F3DCEF0-28A1-623C-9400-000000004202}50241152C:\Windows\Explorer.EXE{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.446{5F3DCEF0-4FEB-623C-B505-000000004202}5652C:\Users\Administrator\Desktop\doublezero.exe-----"C:\Users\Administrator\Desktop\doublezero.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000119474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:05.861{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63314-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:05.861{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63314-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000119472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FEB-623C-B405-000000004202}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FEB-623C-B405-000000004202}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FEB-623C-B405-000000004202}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.337{5F3DCEF0-4FEB-623C-B405-000000004202}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.024{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD0D19C3AE8FC01028A74CE23DAE6D1,SHA256=06054203D3DEDD5DA6A65F3220F08078469299BB6A0FE3A074D6286ACA1C19ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FEC-623C-B805-000000004202}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4FEC-623C-B805-000000004202}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.680{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FEC-623C-B805-000000004202}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.683{5F3DCEF0-4FEC-623C-B805-000000004202}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:06.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.399{5F3DCEF0-4FEC-623C-B705-000000004202}63407132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FEC-623C-B705-000000004202}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4FEC-623C-B705-000000004202}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.165{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FEC-623C-B705-000000004202}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.166{5F3DCEF0-4FEC-623C-B705-000000004202}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:08.149{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04BE266CE9C6E2904F81BE21D20B74B,SHA256=08AB5052562623F717AB189DBCC13774A79D38BFEE84B91D3167FA8F76E0497C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:09.065{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46861939F41E4B77B74E9286C1C7DAC6,SHA256=542466B9BAACE618D48A4B9A0B25FDD2E7F32219271B0AA9D1964077D3D92378,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-VerSetValue2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{791f588d-6934-29f3-f2d7-f3920c3076bd}\Root\InventoryApplicationFile\doublezero.exe|3fc536bd739dae98\BinProductVersion(Empty) 13241300x8000000000000000119555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{791f588d-6934-29f3-f2d7-f3920c3076bd}\Root\InventoryApplicationFile\doublezero.exe|3fc536bd739dae98\LinkDate05/28/2071 22:00:51 13241300x8000000000000000119554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PubSetValue2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{791f588d-6934-29f3-f2d7-f3920c3076bd}\Root\InventoryApplicationFile\doublezero.exe|3fc536bd739dae98\Publisher(Empty) 13241300x8000000000000000119553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PathSetValue2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{791f588d-6934-29f3-f2d7-f3920c3076bd}\Root\InventoryApplicationFile\doublezero.exe|3fc536bd739dae98\LowerCaseLongPathc:\users\administrator\desktop\doublezero.exe 924900x8000000000000000119552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000119551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.790{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 23542300x8000000000000000119550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.774{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73F86683F8D6AF40F59FCE2F0FDCD199,SHA256=27425AA3D6AED09EF3D3297815656AE6D4814FC764B5B69773F34985AED97807,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 11:03:09.774{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\doublezero.exeBinary Data 354300x8000000000000000119548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.420{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63316-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.420{00000000-0000-0000-0000-000000000000}5652<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63316-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000119546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.368{5F3DCEF0-4FED-623C-B905-000000004202}14244140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.243{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67004C650D8A95AA8539F169023440C,SHA256=6A9D45C79B9ACE0256D5691B2896D838F494D5DA8A3AA4C83499AA285AC8C721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4FED-623C-B905-000000004202}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4FED-623C-B905-000000004202}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.180{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4FED-623C-B905-000000004202}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:09.181{5F3DCEF0-4FED-623C-B905-000000004202}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000119536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:07.659{5F3DCEF0-4FEB-623C-B505-000000004202}5652win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Users\Administrator\Desktop\doublezero.exe 354300x800000000000000085824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:08.552{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51682-false10.0.1.12-8000- 23542300x800000000000000085823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:10.159{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84505BBFB81E1F09D65B65F39A43BC9A,SHA256=3D0C019CB5F856AE94CCAEAAD89D0953D94CB344B3EAAE634B06B3306F96C249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.837{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:10.227{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2084ABAE21D9D9EB1492052CFCB0D0,SHA256=C556BB0B9C624E76CB633516D44DDC8D45F5B72D6A1C129CF4A09C9E0CFB9CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:11.253{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CB1336E20BE4BA58711987C9842F7E,SHA256=7B7AB884080936E9F8EE8CFAD78ABFA4B94E73FFF0EEDA44D904F897380D5EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:11.337{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EC6FBEE44225206FFED90903DA4C2,SHA256=C97189870C8F18EEB36F3995BED189C5D491582CE5C6CA45C1E986F3FC73E0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:12.347{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7AD284AFA8AC61EBFAE5FA50C157CF,SHA256=8F136261211F2FA1A8EE6FF808FD01F47EA4404FA17EDDDEE8F229D5B4070DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:12.430{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985E1800456ADFA94BEE806BF6E9FDB0,SHA256=AAF54048896E03FE698698F7EC6182F945F5617A58B848EFDDE975C0E5B2C76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:13.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DF1BC2C16FDC071DE12CAE73847D39,SHA256=B0A7101132EFD3775A1655EB38EEB6DB868C88EC8C0E76F0EEDD831BA34FECBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:13.524{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90CD4885F86B93BCC47FEAF59F32ECF,SHA256=6542DA22C6F6F9320FE868D6F6DB2CEA0B7E1D40ABCE41E15407C63DD9441FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:14.618{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46B876BE2EECBD8CFCB570D255A6346,SHA256=C1E790A3138EDD17D2E2DAF7714498862C7766D6FB40F898A8183A4BB5A479FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:14.534{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB9449EBE3DEF13A839245C9B146B27,SHA256=CBF1BFCE00504F67BAE7AE19E5A32D9F1B3CCDFA2C5F15304BCEDED82EA795AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:12.923{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:15.712{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07B42A22CB5C605E61370411A30970D,SHA256=232C3968C17D0BF230BB06DB1FB64BE0822DE099700038794DE13436642BA00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:15.628{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D62D86CFB052FBC2AB2B6122C79DFFE,SHA256=9F79B29C34056B993D326B5C4D0A36B0D721F6AF42D8C5B1B02D7C3ABA26DF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:16.723{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B479B249AE80496AED5BCE9228B455C,SHA256=7144692D4DE123DEA077DD193B399F0643829E5DF02D6C860711A5FD8C451D26,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000119608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.396{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe 23542300x8000000000000000119607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.381{5F3DCEF0-4FF4-623C-BA05-000000004202}2376ATTACKRANGE\AdministratorC:\Users\Administrator\Desktop\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000119606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.303{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000119605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.303{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.291{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.291{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.291{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.271{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.271{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.271{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.240{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.209{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.209{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.209{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.209{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.209{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.180{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.165{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.165{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.165{5F3DCEF0-4FF4-623C-BB05-000000004202}7002712C:\Windows\system32\conhost.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.165{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4FF4-623C-BB05-000000004202}700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.149{5F3DCEF0-28A1-623C-9400-000000004202}50245028C:\Windows\Explorer.EXE{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\System32\SHELL32.dll+445b8f|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e 154100x8000000000000000119570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.156{5F3DCEF0-4FF4-623C-BA05-000000004202}2376C:\Users\Administrator\Desktop\doublezero.exe-----"C:\Users\Administrator\Desktop\doublezero.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000085830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:13.786{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51683-false10.0.1.12-8000- 23542300x800000000000000085832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:17.817{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BC3D1198B0CDBB679D7105703386F1,SHA256=ADA467DDF5CEC7643455F8BBB51B0A478FAD1E5C1D6E88147B872F1FE0200750,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.062{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63318-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.062{00000000-0000-0000-0000-000000000000}2376<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63318-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:17.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CEE1154B5D04CBC96393CA01C6ACA66,SHA256=B5E1A612280E54107E39BFEB9235C1826F95DF37052A0795B716152AFBC9B663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:17.131{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468AD1B15C8E9330AEBE24841609E554,SHA256=417454A95657DCCFAE094FF7CE90E9C6EB14201493DFEFD6362A63E890AFE3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:18.911{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F2AD6BE5A7630A83954011D867BC77,SHA256=90ED33F495BAF1E803807EA9770BBDCCCF220D74CD7ABBE209825C0264CC9208,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 11:03:18.412{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\doublezero.exeBinary Data 22542200x8000000000000000119614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:16.299{5F3DCEF0-4FF4-623C-BA05-000000004202}2376win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Users\Administrator\Desktop\doublezero.exe 23542300x8000000000000000119613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:18.240{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C754D18028BBE3D34875257B9E4255E,SHA256=03BEB947001612EA44FED155C746EBC35A14651EB0126EBD9628C2C0A501A5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.803{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.803{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.803{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.756{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.756{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.740{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.568{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.490{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.490{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000119627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.474{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-03-23 15:36:07.099 23542300x8000000000000000119626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.474{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=05FA4E8F1AB9C6525C7E6A70D6129998,SHA256=1FCDCAA728D9C252FE049059A6384F0F321E4CF5E3DD73291CFFD885D2F0A3DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.459{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\3.png.lnk2022-03-23 15:36:52.987 23542300x8000000000000000119624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.459{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\3.png.lnkMD5=A802A1BDC8348142D504A433F62DB421,SHA256=F480520027513D7303EBD4305F9808B7DB5268304D9EA0813A085736D05C3BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.427{5F3DCEF0-28A1-623C-9400-000000004202}50244380C:\Windows\Explorer.EXE{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\system32\mspaint.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.360{5F3DCEF0-4FF7-623C-BC05-000000004202}5752C:\Windows\System32\mspaint.exe10.0.14393.4651 (rs1_release.210911-1554)PaintMicrosoft® Windows® Operating SystemMicrosoft CorporationMSPAINT.EXE"C:\Windows\system32\mspaint.exe" "C:\Temp\3.png"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D38DC0D3BFD714944178F4E9BBCB9DC,SHA256=5E60ADD8FAB01DF9AAE7DBEEECC8F4918124D955851B763E774FC503199A93E3,IMPHASH=A1AE90944010E9EC06EBA7D463508EB8{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000119616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:19.349{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B2DC5E94763B5EEE7F80EC0C8407B9,SHA256=7AFB69841F5D0EF86D9D8020D9FABF578632B71DBB87A2B6530820D0AD2DAB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:20.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39128022C89A24021F46150583D845D1,SHA256=063A2A7DDFEFA3F5A4CABF3C5E5EE77ED6087586B29D263D2C989EE1E89608F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:18.952{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:20.004{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B31E194FD4D5CB75786C356026B29B,SHA256=0D405460383EF64FA5F5F906B8423CAD478BE6DB30C8301227DEE478E4A1E47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:21.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70148E62A7DB67F26E57A949B7BA615,SHA256=A416504E8F7F86A8A520B49F7A1439E5B9CDDF488DDDD7C00427B68E98D05F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:21.098{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA2CE75D6A90DF4E21C6575BF8FC284,SHA256=7E271F98E11372E6BBA7E0F4EA41444B10103B4569CF429F5FC797E6884FE90C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:22.896{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:22.896{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:22.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9EC910B8B607C1AAB87F02BD746D02,SHA256=97C00B2780E5FC6D90A458849E03E79FB7EB004F8B84B3944F40680E4F5F95F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:19.741{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51684-false10.0.1.12-8000- 23542300x800000000000000085836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:22.192{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED860AA3DEF1AA8A57949E01030EEAF6,SHA256=67EDAB7AE1E744ECCCBE913421113F56C135BBE7FF981F5A8072A392180606A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:23.974{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E33FDF189617D5A19B760B75B60A92,SHA256=865346C380E735D26581193F82D1C40BF19C3B33BD7A3EBC38A49091FC978E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:23.286{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A1C631BF61602171A48D93340B5CB1,SHA256=3724F6D08BDC15D72519B15E38AF8EAB19D65D520E1ABE97AAD55DCF48681D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:24.379{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5472B95E84424297A87633487723CA0,SHA256=901FF54D7FD3330DB9732D173B8380628978715C41F45A54BACA417DB90AE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:25.708{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB08C9746DD3029FB1072B773969E1A2,SHA256=AA401242128A398647F7811B0633EDE6A5741937A4831341FFA0A621801F86EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:25.473{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A829401FB17D48F67AD4F159C73436,SHA256=AC0C9F616A0893A006AAF95828410EF1E4AD66D8AE0195B29B7F666258C3CCBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:23.998{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:25.068{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A26D0763A4411050C17BF3B18E8133,SHA256=B0BAB890EB9E84CDF56676AC551B1828F66CE5DF2070552FBB9F2CF916A09F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:26.567{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A30412DD1DF42997ECEBB866906C1C9,SHA256=48049A4550BF6146103736896F2FAB877C3C5F8F32833B8C1C0ADD1B1A1B7298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:26.162{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8E11541EFC90AB24AD6EBC47A1D3D4,SHA256=F6D4CDDE398F51FEBF92F648796E990A257FE19BA6063CEF7DD82304470BF789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:27.661{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD98655F94DECB21A83BA620189AFD41,SHA256=13E9843F0E2CAE6955325EC3421824E6D97F27AFA98A3AE5356EDA75AE09664C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:27.256{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387C9EA55365390FFB0B0D39F1FCCA6E,SHA256=829B618BCF0A4A7E22DDD813E2809DF1B2F7EDFD18EBE67C1000B339C24D95EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:28.754{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609A75E304D43AF357576E0E382BC162,SHA256=6725326FA04D19DC11A88DDEDCC211E315008C6918B18B7E03E733E89E8171E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.896{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.896{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000119666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 11:03:28.771{5F3DCEF0-5000-623C-BD05-000000004202}6696\dotnet-diagnostic-6696C:\Users\Administrator\Downloads\dnSpy.exe 10341000x8000000000000000119665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.646{5F3DCEF0-28A1-623C-9400-000000004202}50246804C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.647{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe6.1.8.0dnSpydnSpydnSpydnSpy.dll"C:\Users\Administrator\Downloads\dnSpy.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=5CF180FEC9628C4DF4267DE3ED7A98A7,SHA256=BC1C4E0FC49C138BBFC223D3E94231CD4884439C663646D91E48FA005DF6704A,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000119655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:28.349{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF57C73D8CC762DB0FE2DA559913FF0,SHA256=B1D27EC1FCC52978A43FB31AB32EE59FD4CE88902D8CE19F02A12E39FEA78297,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:25.663{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51685-false10.0.1.12-8000- 23542300x800000000000000085846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:29.848{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C501FD13DCB58CAB4B25685EC0EDCBFF,SHA256=D2C9F668730B33143525A90EEFB03E35B2559602F164BB501209F3AC6BF357AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:29.849{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:29.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=748EB348136207BF9633169F168535C2,SHA256=A567D464826DD17C9DF01C0072FFE0C96F6E268D6BA6A98FACC522E300CF9040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:29.599{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:29.459{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E099895A34BB9CD8524DBF4D5EF2D9,SHA256=80DB9EF5E7C65BE6D4150D00671B33ECFA7F485F58889801D40D1F2B62FC4C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:30.942{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B461C6DA69F07863B93D9DCF85B9A3DE,SHA256=3A7EE3C459C602F7B090E52B976315F4471586C9E103DD01AE73BD8F89E81ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.801{5F3DCEF0-5000-623C-BD05-000000004202}6696ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup.profileMD5=EDF60661C41176B5CE86A2ECEE9BB8C4,SHA256=3B638ACA8EA69A99FE881A4E9C9DFD021A0BFC553AA91718C4389430D7F39ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.548{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6D4F708FF2C02FAA94B7D52C1BA1C7,SHA256=F6165456C8ABB2E8A503EBD0C06724A81CF931F07D53867B3AABE59980AB268F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.527{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.526{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.526{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.521{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.518{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.516{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.516{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.516{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.515{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.515{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.515{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.514{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.514{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.334{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.334{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.287{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.287{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.287{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.287{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:30.014{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:31.615{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5920B90DB63A3A0623145768C01A57F9,SHA256=9E08A5B7559F292555EAAB6A280C76C0189F30CE7F6F8618138CAE78F13BE6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:31.536{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.772{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.772{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.694{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8D513C7EC0C6944315E0017B28EB4D,SHA256=68B2BA7EB8CC42CB14BBD7ED973017391C4D9D6492289F1BDF4BACE53EC46707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:32.036{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176886F98D7E629C3D39258255488F2B,SHA256=8B9E399B2D06038285DFDFB1D818864999974D6150CEA5C39ED4B51FBDC8457B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.600{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.600{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.491{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:32.491{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:33.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745C64B352BC4162E2EDF772BC56F076,SHA256=DDE42DA2352BDC55F45027DF0A3B83199B203DD0A1967FAB15BF823FD5EA4497,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:31.069{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51687-false10.0.1.12-8089- 354300x800000000000000085851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:30.725{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51686-false10.0.1.12-8000- 23542300x800000000000000085850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:33.130{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD17D0345AAB15952F6F1D330E8BB61,SHA256=D530E7CC6AABE14083306854F62DB015CE6E5774BA9E198A0F45B7829BCB6AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:33.443{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:33.443{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:34.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A837B4B4C84E57492192EC9C9A9B04,SHA256=4A6F959CBA4869586F9D28A2A579824E5A3F9F559BFEA9A4A672FB6957F04337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:34.223{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77931585769121D21AAD78011093A444,SHA256=0A419E4A612B993E34FB2827B500B52FFF4E0C0ECBFFCC4587CFECE6A88DD1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:34.584{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:34.584{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:35.959{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9ACCCF0D41D32607FFAB8998CBEB1F5,SHA256=ACA53464DE2C809804A76886675561024E8F971071518C4767213E8999D25EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:35.317{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B82E8F19B7EB6A22DCF7CBF24042E9,SHA256=380B896156E5534DA86B72C53685D70025704A7AECB6308D692A7CA9C52ABC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:35.740{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B568DFEAEAF6F8FA391F45B1E2193DB8,SHA256=380080738823BA91E8525525274B5A26D67021145851049551DD65582C8EB846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:35.709{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:35.709{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:36.412{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E692A07117C49A7BB33C5B79C7313B4,SHA256=82C160A1CD7095BC1BC1B99B190B2EC9613BEC48E502100DC566D51988401327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:37.505{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15F69755EEAB9C2053E2FD1DBA5FBD7,SHA256=3D11476725DDDADDC66CD13432EC99DCB2B7552920CEC2276C57AF65FE7D7E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:35.795{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:37.741{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:37.741{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:37.397{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:37.397{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:37.053{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC9182B4CFFEF876A56C7D1015865E2,SHA256=3AF2CCF281767CD2C96C344885435BE4900FB20C95D5D879F1E373AED843DA84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:36.619{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51688-false10.0.1.12-8000- 23542300x800000000000000085857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:38.599{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58CBE6F60C9104698E04606E403DB06,SHA256=C951915A79974E7C4CA41C24D9D77822C21AB5BD7FD01C498E551CD2E684D5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:38.303{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:38.303{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:38.272{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:38.272{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:38.147{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEA8C0AB46AB9476D9D1ED60D8129D7,SHA256=237B69500EE2D7CB9FDE3588E7B94E921C888FA815865565CBCE0C76EF9C02A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:39.708{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09B97B406A89EF0D53829FDC81A69A1,SHA256=4F8EC0D5CD8C1034BB3FDCE1554F6F28AB010775C7C8E715046C341B105E7969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:39.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CADC2F04E67D4731A1F68ACF59E656,SHA256=F641D0C8B07EC2305E39C09DBF32D544733B08EF51F35756C066A5427DD4D0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:39.179{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F734D799B17BA55F0F74F3EB99F58F25,SHA256=D5D241F6666D8CCC22C747018595D5843EC9A19E4DEC8B20D05FAB7AA45CE58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:40.802{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5905541C471541128C5EA01C728EC240,SHA256=B9736E785E36C66A9D3B87477048A172A749CC7C0730B49B46F9747ED6426B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:40.225{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26938B05A079F2BC25D830E272E8B0D1,SHA256=77BF07536290A946B16ADC3F32B6D379A3FBEAA3B4C92010DAF5AD9F4ECF23F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:40.005{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D06C145D8149CC19682CA7828180ED0F,SHA256=1246906F0C8DAED20B342B07FA5BBD633B8EE2DD51AD2CB11DFFEC98C275E076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:41.896{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF6E236FA64C2F1251BF60BF9021DB7,SHA256=ED77620E43E8DD5D95B127AA30AFBA2983A41E34EFDA8E2474821C8B5334A047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:41.788{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:41.319{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B8B62736F7A32271D8F52B58A2A5C3,SHA256=378EFFAC612670053BCF774D3912DE804B2DFC79CDB5B6010851B4149002EAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:42.990{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF608B98B2328CB0C1BB4F997FEA891,SHA256=23457DE8CFD37C78FC0A0B9B66DF8C8A27B2352F395E8D4BEE60A93FD5B83B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:42.819{5F3DCEF0-5000-623C-BD05-000000004202}6696ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup-roslyn.profileMD5=F711A9B9FAE0098BA5A5E744907EF676,SHA256=20D7F7C5C87D21AE073D4F954CF9974341F490AC69B48376F12AA83D054C89E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:42.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CACBA440835CEEF7299CB1022AD6A0,SHA256=939A6BAFA2EF07DDFD78D5BBE41B9038F93B71D64525C318851A4E05CFA1FA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.725{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000119741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.647{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.647{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.632{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.632{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.632{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.632{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-500F-623C-BE05-000000004202}5068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:43.507{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0AEC0F6583850A063DCE5567A1F125,SHA256=04CA2CCD61ADAEB26B07C4D37A3B53182CB7215155E93018E066A3107B440D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:41.530{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000119733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:40.827{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.685{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BA83BF5DF7B26977B446570985C000,SHA256=B96051806356788F42F19FC2A4339CAD976954F6E80B6873CBE60F2DDAADF8F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.610{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.609{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.609{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.601{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.601{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.601{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.601{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.571{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50F09E665A28E9390CA953EB992D2FE,SHA256=1C46EBA0F499B00D5C070285A9FE0245091683E1173731FE99356E68ACD1C633,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:42.601{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51689-false10.0.1.12-8000- 23542300x800000000000000085864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:44.083{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67BEF5F6B7AA741CB16626C95EC8AF9,SHA256=BD9A9E9F0D6AB7CA580C6C6FFEB9BDCD33CF0BE57481CE0971FF91CE92F56607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.225{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000119743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:44.225{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000119756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:45.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:45.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:45.648{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A64F0BC21B7D2DA0575104A4E2D81E,SHA256=C97367B9DAF85CFF63CC5ACDB2FB890B9E6A722E1857A5C845DD61AFA71E471F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:45.177{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA03997FFB7EC4209C70F7B78F0ED16,SHA256=2F4A5155A19B730543E5F19F6FFA3C973904E686333F67CE9033375B25AD07DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:46.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E24AF2757944BC95CDE744EE7EB8F2,SHA256=E1CDB40FB7B084D03686C22970C864B1F5888D1D4705724C397B910A745DBDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:46.271{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5ED34E58AFEC2794D93BA8142366D0E,SHA256=B5AF14C1B319147DC93284FC89A34A2BEAC5DA32D595DAAA7D9EF265CBBA3EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:47.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748590C19A6DD87E0BA27A6C76DC14D0,SHA256=0E74579715106BEC547FF43262230E92878865B4A20AE2F8AB2F467173584CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:47.365{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C420B4C37E01D8BC917B77B527A7D43,SHA256=86575016E5B95E0DFED615F4A9C8366E9383264532A5F729A0C9032D4E3C759F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:48.976{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:48.976{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:48.929{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2732C4851CB3D9D53DD81E12373BBD,SHA256=34DC1CEA20A8A8BDCA28D0CC8EED930B9A4935725ED8F41FA8058A8E815BA1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:48.459{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35123A4B477D8367A0286F4A924CAA8,SHA256=E0DC8618C9E0DDDA11E593A74E807910DD07512BBBB3D58B0AA90D39983C1826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:49.552{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1481EE445A14209ADCFC3F0B2E7E7A,SHA256=BF0195E7ED2A79CA799593121E812DBFC7BF9733F7FB42DF2E6F5E7FA81C0030,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:46.844{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:49.038{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:49.038{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:49.038{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:48.617{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51690-false10.0.1.12-8000- 23542300x800000000000000085871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:50.646{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F372C3C1312E1549E38E40226C305C89,SHA256=D915F0D9D857CA91849B6E63CCD1D02FEAF62EBAE0410B46D832006D2D45662E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.976{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c214|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.835{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.835{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.835{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.835{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.835{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.820{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.820{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.820{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.820{5F3DCEF0-28A1-623C-9400-000000004202}50243520C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.804{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.804{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.804{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.804{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.789{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.789{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.757{5F3DCEF0-5016-623C-C005-000000004202}64565824C:\Windows\system32\conhost.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-5016-623C-C005-000000004202}6456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}6696ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\dnzjn42p.jtuMD5=825AB5E8C725411B8B9C319BDCC8EA4E,SHA256=2E3A2C34CC9728CB3C1915E1C778FD0D63D46AC8E238C90726C96E4A31042357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7145|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+56000|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-5000-623C-BD05-000000004202}66964364C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7436c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5526b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.726{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.731{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000119770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.695{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.538{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.538{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.538{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:50.023{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE70E954721F8A86846117EEB6C8E344,SHA256=A7F4CF605AA0158F216868CAD951850A72E87C4162EE85CF2CAD9F660CDF93D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:51.740{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B448E61BA30DD9FF318E69B80ED7D08,SHA256=C7A6ED5BF78C0EDB575FA998E678A978534120EFD556C1E33B919E2DDCBD43EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000119824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.804{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000119823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.804{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC0BBFB8F7CF42A84DD4D0295AE82879,SHA256=6951C2A57DD10704F48933FF58F4D1767494572EA12BCD919F2FC1BA08396254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.788{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.788{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.788{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.757{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.757{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.741{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.741{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.585{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9640E4876DD639A41C84F3BB443437E8,SHA256=5C4E6F42EF100B9F84A92AD602702354DFD52EA6A959AE1B7C05F00BF01CEBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.413{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.366{5F3DCEF0-5000-623C-BD05-000000004202}66964384C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F777CC) 10341000x8000000000000000119812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.257{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.257{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.116{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.116{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.116{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F32A4B) 10341000x8000000000000000119807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.101{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.086{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000119805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.086{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.086{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F27866) 10341000x8000000000000000119803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.086{5F3DCEF0-5000-623C-BD05-000000004202}66964384C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F23DF9) 23542300x800000000000000085902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.851{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A9D57EC438BFF0AACDA94E199E9BFE,SHA256=A1D01F687CDF9FC607CC55C5D9C76727B051773F36154CBA4A418082ED4D02A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5018-623C-2F05-000000004302}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5018-623C-2F05-000000004302}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5018-623C-2F05-000000004302}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.789{9531C931-5018-623C-2F05-000000004302}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.398{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.366{5F3DCEF0-5016-623C-BF05-000000004202}3832ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:52.117{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A16053A8C41F9D8C4D1E4264E700EE,SHA256=0BC5151C793C75C893A32F3EF4BCEEFB64D3442C97C13546216C2C3D32D96D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.572{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-164MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.507{9531C931-5018-623C-2E05-000000004302}37242544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5018-623C-2E05-000000004302}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5018-623C-2E05-000000004302}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.288{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5018-623C-2E05-000000004302}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:52.289{9531C931-5018-623C-2E05-000000004302}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:53.834{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56312912D1C519022BEF0A4734785DAD,SHA256=C9DCFA5849F89542D56A00D336747A9664B5469C846FA306487FA8641342A765,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000119837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.791{5F3DCEF0-5016-623C-BF05-000000004202}3832win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 354300x8000000000000000119836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.554{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63326-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.554{5F3DCEF0-5016-623C-BF05-000000004202}3832C:\Temp\doublezero-cleaned.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63326-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:53.226{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C43F3C97ACC7F5778343D80ACEEF49,SHA256=5717B044D02AD31AB01A9F547AA826A2D42B93093D68F4AD95A544B854CF8AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:53.571{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:53.320{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C928314B17127415B9B88D9E5E2FF5AD,SHA256=EF734D9F947DC5C836DF0C6A2CCD7375B587E8C25B9F9D35292783C669212B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:54.930{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA413E19707D90C9CC46232BC49D6E5,SHA256=8296DF4660A1968BDD8F3D9D8279E6251DF1F2ABC553347FB830B5E75E5E482B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:54.320{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FFE82D40D7F85500114C847EE7E34F,SHA256=EB95A00D27154FBF256C061F49D8BE18B1B36A66B304D7314980F8BD392DEBC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:51.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000085934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-501B-623C-3105-000000004302}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-501B-623C-3105-000000004302}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.946{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-501B-623C-3105-000000004302}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.947{9531C931-501B-623C-3105-000000004302}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:55.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0632B43C4F7893CF9A84B15F426213F,SHA256=4255CABEF12614E08C1AAF38E19BE50C28D262FF5FB92D02AF0115DF86473A23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:53.710{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51691-false10.0.1.12-8000- 23542300x800000000000000085920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.821{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A21C4CE9D6D8611DD183610F78C07E4C,SHA256=33FB0C217F1579F184921ECC4441D498C9AD381FF3A91975CB5AC1A35095A0FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-501B-623C-3005-000000004302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-501B-623C-3005-000000004302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.008{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-501B-623C-3005-000000004302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:55.009{9531C931-501B-623C-3005-000000004302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:56.503{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4AB194F9CF2EA49316D40AE6058207,SHA256=FEC87573C96C08F27B29DA0F679B5F4EDCF2ABFBA1805341FF8459C83DD4F80A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-501C-623C-3205-000000004302}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-501C-623C-3205-000000004302}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.830{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-501C-623C-3205-000000004302}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.831{9531C931-501C-623C-3205-000000004302}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.362{9531C931-501B-623C-3105-000000004302}1723688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:56.024{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63772B3EEE2451543F364832FCABCA99,SHA256=F7616BF302C528DD2FE3E8AA29857DCED1D027A19B2D4578231E728645ACAB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.915{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.915{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.868{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.868{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.680{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.680{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.633{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.633{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.618{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.618{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.602{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.602{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.587{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.587{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.587{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.587{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.571{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.571{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.571{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702A0925E9527D1AEB649B9E6D7B6AF6,SHA256=2683BF82A582622F9A32E06FDE3F5D0ACC4831F1F88AFADCF2CC91B0ECB9A821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.555{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.555{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.540{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.540{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.508{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.508{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.508{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.508{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.549{9531C931-501D-623C-3305-000000004302}19003720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-501D-623C-3305-000000004302}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-501D-623C-3305-000000004302}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.330{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-501D-623C-3305-000000004302}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.331{9531C931-501D-623C-3305-000000004302}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.284{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D2B6E08C3BB48F9602D5D9CE64AE0A,SHA256=E19BA1A6F5DAD95D92610EB4EF513F2ACE5B1C4793B6B3ECC37600BC0F945232,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:57.080{9531C931-501C-623C-3205-000000004302}27243160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.415{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.415{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:58.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EACB3BE58E90C42B6CBE53A6C1F4C1,SHA256=B8AFCF4F63774039959E428100880A5354F2F7751ED254AA326F3A90A4BF2597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:58.159{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE100DDDE8A4C72078D3F3E82BF2DFD4,SHA256=9ED6ECDCC6526BE6C9507748858A84B0DE3F8E61FE2339CBD56B80DA39CDE0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:58.055{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:58.055{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:59.987{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C0D6177AE6414083F02A5E1C8D75B3,SHA256=D7971AE0CF925645AADEBAE3C080375C8E7310925E3C8ACCC5D75B763CC1AF1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-501F-623C-3405-000000004302}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-501F-623C-3405-000000004302}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.315{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-501F-623C-3405-000000004302}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.316{9531C931-501F-623C-3405-000000004302}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:59.252{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0FA1813093866D98B8EE8C0FF2FC0F,SHA256=EA5F51B6FB7E562DB5F883D777756E83C946D6795AD42B5F2779292EE3DA04E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:59.790{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:59.790{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:59.774{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:59.774{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:03:57.829{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:00.424{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603C77B32DE8EB8807CF225C87121799,SHA256=8E0C0A046F8CA0D9DD44342BC9D2F8F54AF40D4C96CA7AA05724434D0EDF78F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:00.346{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6567A5545857AB875CEB43656BE49D7E,SHA256=ABE8E5C056BC73B330769C23F45528DAD0B8E3BDE9944459DEB1F4CC43C033CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:01.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE62C250B8D53E8F6B95F1F9CEFCA7E0,SHA256=4CE5887FAF94AE01A94B00273FDCFD3FF486E22573099DDF133AEF4FA41910F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:01.134{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637125C373911F6A943226593E2BE8A,SHA256=F389012B8E578B5ED62543CFABA056B6D464D82BAFF64F8402FBEAEFF6EABF88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:01.009{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:01.009{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:03:58.707{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51692-false10.0.1.12-8000- 23542300x800000000000000085985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:02.534{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35C1F6EEDD17FC5D2512882726CAEA1,SHA256=A0859E3E20AF58456D0E8CBD8771E400928D3ED56BD9C09D484141E8333E1935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5022-623C-C105-000000004202}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5022-623C-C105-000000004202}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.554{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5022-623C-C105-000000004202}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.555{5F3DCEF0-5022-623C-C105-000000004202}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.195{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB1A110773D1EF398E9113B98E151DD,SHA256=EF26C5C2F60616F4B0172A13D9CDF9A27DF7886A4DD49A2C514B4E1B51D51F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:03.627{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92F0B63D1A825333EE8D6CD7BFFADD0,SHA256=9D879DD5DE16168A6B6FCDFD82062179A7127262B6103C225143F0614EADB33C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5023-623C-C205-000000004202}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5023-623C-C205-000000004202}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.664{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5023-623C-C205-000000004202}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.665{5F3DCEF0-5023-623C-C205-000000004202}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.570{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D405028B12D7DA71FDCD5A5CDF08F12,SHA256=3E7B88B3E2BB91F1CEBD940903282940ADB263ACEDFE1469A64E8237FF176500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:03.289{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03432EB4A550C027AA5ED3469F4B8E81,SHA256=108D5B3B16439C15B3242DEB19E2A72752FD9D60DA8AC6F85D94B542E2F12D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:04.721{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A52207D4E2EE0683CEECA284495835,SHA256=BA451F8D603DE60E11272B4F4A0E8901DAFCA4BC5451056D2A51BD8DFF08DFE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.742{5F3DCEF0-5024-623C-C305-000000004202}22682036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:02.937{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.586{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5024-623C-C305-000000004202}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5024-623C-C305-000000004202}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.554{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5024-623C-C305-000000004202}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.555{5F3DCEF0-5024-623C-C305-000000004202}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:04.382{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476772E72E47C6BEEA7B557DF5D3F3CC,SHA256=172FE2CFFBB3E2F2B55A8475A10F225B895BD9324F84F5A76FDDE55A3821A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:05.815{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E03027EAD286D567CC8A97FB86B50F2,SHA256=B18D4DD6ECA40CA0290E862D636A53D6CB62C80F0BA5A64D16206EA3F99BAE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:05.978{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6FBD025875F8DA1B33755E48F6FD6AD9,SHA256=FB4A2D696C15434EAEC2E5E05781745B8F37297476812E5F7B25B5D7CE6A06C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:05.606{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-164MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:05.477{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43860FC3AC55FE76E26B6E9FC5D52E25,SHA256=73CBC6F752649A9610BE8ED2D4501CD59D3E350B0BCAFF54A7A32D152F1CE524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:06.909{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241DE81414A4AFFCCC6C213B7CA298FF,SHA256=12A8A19A3548EDD6B60E95B47BAE650E9CFCAEE016F61FA5D8650932EEDF8BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:06.604{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:06.572{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBF994C823EE2E5F7E41CBF56745AA7,SHA256=C3F645C17352F6482553B113D97B070A5877144D024B43DD3B650E8BD9EA0E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:05.877{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63330-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:05.877{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63330-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.668{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3108A629D9C2A9AAC99F6B3CB7B8FC,SHA256=A678ECEBF7A68B8AEFAEFA9DB787395A35D8ADD6774C6DFE7F1790C6945A36AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:04.598{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51693-false10.0.1.12-8000- 10341000x8000000000000000119928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.371{5F3DCEF0-5027-623C-C405-000000004202}70805408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5027-623C-C405-000000004202}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5027-623C-C405-000000004202}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.200{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5027-623C-C405-000000004202}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:07.201{5F3DCEF0-5027-623C-C405-000000004202}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.840{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.840{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.840{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5028-623C-C605-000000004202}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5028-623C-C605-000000004202}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.809{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5028-623C-C605-000000004202}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.817{5F3DCEF0-5028-623C-C605-000000004202}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.793{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.793{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.762{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169FFA0866BD94E66AACC503971658E,SHA256=D7D64890B1478DDFFE19E0956F5BF1A50E6269900254570EB4DDB038E94D4368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:08.002{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03E5AE61381D90E7A16D43239F36E89,SHA256=0D4784613A46BF638005E92D7B96DB67ED7DA37BD7CA3C40F4FDE6BC0262D4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.371{5F3DCEF0-5028-623C-C505-000000004202}46286008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5028-623C-C505-000000004202}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5028-623C-C505-000000004202}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.184{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5028-623C-C505-000000004202}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.185{5F3DCEF0-5028-623C-C505-000000004202}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.918{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CBDF4EC8623301ECED0074EACB3158E,SHA256=39983FA7237E94880284617327D98FD651EF49CBF7E98F6518815AF24CA6042E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.871{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248FC03778B15D00CD7A6649723E2D32,SHA256=1B57ED2B7D20CF01F03DC463564377C1C46EA7F1585272F603CF78A5F1BF0C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:09.096{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A889D9269ABEEDB85FD7E8232B042B,SHA256=A67062DA8D03B5CD1CB9219E8AA19319FE2A6A403A6DA99888AE7D24A9CB1060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.481{5F3DCEF0-5029-623C-C705-000000004202}21766272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5029-623C-C705-000000004202}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5029-623C-C705-000000004202}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.309{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5029-623C-C705-000000004202}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:09.310{5F3DCEF0-5029-623C-C705-000000004202}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000120018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.918{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000085993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:10.190{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA19AFAFA96B32481277E5E93BBE6FBF,SHA256=6687E9AB3ABE5539E16D48B318B3583D86EADBD04DFE105C4A0A08F8FC0CC621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.888{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.888{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.888{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.871{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.840{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.840{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.840{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.639{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.621{5F3DCEF0-5000-623C-BD05-000000004202}66966452C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F777CC) 10341000x8000000000000000120008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F32A4B) 10341000x8000000000000000120003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.543{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.528{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.528{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F27866) 10341000x8000000000000000120000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.528{5F3DCEF0-5000-623C-BD05-000000004202}66966452C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F23DF9) 10341000x8000000000000000119999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.528{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c214|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.496{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.496{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.496{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.496{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.496{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.465{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.450{5F3DCEF0-502A-623C-C905-000000004202}61646288C:\Windows\system32\conhost.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.435{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.435{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-502A-623C-C905-000000004202}6164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.435{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7145|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+56000|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-5000-623C-BD05-000000004202}66966968C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7436c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5526b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.431{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000119969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.418{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:11.284{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A5CD59CB250F7800FCB09DD86CFC8B,SHA256=BEFB531AB0CF038E7717B595CFFDC6B6FB899D1ADD7F7F3543528F080F8CEEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:08.910{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000120027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.481{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.481{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.481{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.481{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.465{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.450{5F3DCEF0-502A-623C-C805-000000004202}3984ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:11.090{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FF2EBA706C74397004F72475461710,SHA256=99DCFB373E9179D0C229280FBB5EA28BF38ACA6A989A947750A2AD44F5D8A134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:12.377{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D715DB2D3B64E05A17D176C2F83433E4,SHA256=8D57F78689DA71D51C17E311974AF4603B981795B4BB641C70B8AFE410641E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:09.693{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51694-false10.0.1.12-8000- 22542200x8000000000000000120032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.892{5F3DCEF0-502A-623C-C805-000000004202}3984win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 354300x8000000000000000120031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.649{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63332-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:10.649{5F3DCEF0-502A-623C-C805-000000004202}3984C:\Temp\doublezero-cleaned.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63332-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000120029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:12.012{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9243DA2D1655F94A5588DE0A3A2B3D,SHA256=10997EBFF08639359DE338268B06E09D5633BF9C6AE01591672327F947ECA356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:13.471{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDFADFE80317DB0D52E0823ED8D8755,SHA256=6189B0B526B5C2B55B51802A34EBC2AFF36551633CE4A3FF10D756E7AB0F44CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:13.575{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:13.575{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:13.106{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270041F98C25E045D35F3F5A4A6306A9,SHA256=A4220C76E617FAE5F3533749C66C2FC0243028DFB84153F24F365CC10974D855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:14.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18763E9094DEBF01FBB3220ACB7E639,SHA256=C39968C7DC6FD5B5B7FEE6CF8A9AA595AF47779A530E194AC19FE84766A50694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.543{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.543{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.543{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.512{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.512{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:14.200{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE67C8EDFAD9F829C70CE9601DE23B9A,SHA256=09A4EC8531ED0C6E8FE4453F0DB4E716D721BA64D34B374B57EB07C046D8D975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:15.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07565CDF218D4A668DBF1454E34A4B,SHA256=013D410DAD08475DF739C1693F5C46A40A87A37878BF3562CA5C83E8681D2809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.981{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.981{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.981{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.825{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.809{5F3DCEF0-5000-623C-BD05-000000004202}66961076C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F777CC) 10341000x8000000000000000120085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F32A4B) 10341000x8000000000000000120080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.778{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.762{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.762{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F27866) 10341000x8000000000000000120077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.762{5F3DCEF0-5000-623C-BD05-000000004202}66961076C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F23DF9) 10341000x8000000000000000120076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.762{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c214|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.746{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.746{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.746{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.746{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.746{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.731{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.715{5F3DCEF0-502F-623C-CB05-000000004202}61806088C:\Windows\system32\conhost.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.715{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-502F-623C-CB05-000000004202}6180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7145|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+56000|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-5000-623C-BD05-000000004202}66961328C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7436c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5526b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.710{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000120045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.700{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.293{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6490C275317D0496CEC9B52205BA6F8E,SHA256=09E300DE7E6B05F1B53748014C2295BFA29BCE6264EE5D4D38E76A75CEEAF5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:16.756{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCFC1259DA4515B55379D4E23B5430B,SHA256=C46B91B1B990A2CAE154D49E3FDC507157C5A37395DB881A89FEACDA5B6BC9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.819{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96DAB9B2D9EEF31D2CCA93AEF7970831,SHA256=68E2257F517175E453C78BDCDDD95379447D0D61C133C4C5FEC0FEB34BDE5209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.647{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F8D647D92375F76455A816D904621,SHA256=91E639FB35389974755A10CAC65F4B65C7CA07A9C6BAAB98CB5849A45BF7A390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.569{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.554{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.538{5F3DCEF0-502F-623C-CA05-000000004202}596ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000120096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.028{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000120095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.028{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.028{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.028{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.012{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:13.942{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:17.850{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DBF4932CDC19304F1261F6025D63D6,SHA256=93492B814E896C68D8A5B57A3A69348B568B7DA2A14BB554E4BA2E2C876931D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:17.601{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155D02A2F3E9B53EE39D81307D6B5705,SHA256=C1C603698102B3A04A2A43909389BB28F3BF8973BA6B4C11AF6CC34B1F003BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:14.739{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51695-false10.0.1.12-8000- 23542300x800000000000000086003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:18.943{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3052CA7FE66A7EF6797C6F5D311086,SHA256=8B5DC40A818181DC505F22293F0E1CF267C0D3B628DADCD7B88A2CEFEA43613D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:18.694{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E94A0830B69226DA01202C996A68CC,SHA256=A37B5961434AD2393ECA062827F3722571BFF73B1663ECFF8BB261EE5CFECB94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.789{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63334-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:15.789{5F3DCEF0-502F-623C-CA05-000000004202}596C:\Temp\doublezero-cleaned.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63334-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 22542200x8000000000000000120108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:16.026{5F3DCEF0-502F-623C-CA05-000000004202}596win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 23542300x8000000000000000120112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:19.788{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF4F138FA6FA3C6DBBF14821C75079F,SHA256=4347EC401F1B6CB27829CA8DB33933E1172C5EFF6880984CC836A14CE0BF5523,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:18.983{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:20.882{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B615D1279ED3AE717D3D8157A7A3DB9B,SHA256=E72B12FC50E1F8D3BEA8D27D6D25941D450D62E1992E5D2D4C8D036B91BA818A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:20.037{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF349FA4A9F9DC6EB9B5DE431BB7817,SHA256=110B03E8436BCE45FDCD8B0FDCDF470D6B982ABC7FE1F436FCEE0B3B88C769F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:21.976{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363C5261EC791974CD35720CA4597FCB,SHA256=BAD9722F536930A8AC79AD32C46C0C09CB42EBCDD6AA9C14D93B76A5B9FD849D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:21.131{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A9D4EDD1343B1D7F1D355A7EBE3A02,SHA256=360B83EA4416747E24CBF633CB0D20F1480FC514725D24EDD099543A9E3C182A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:22.225{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3AAACA5F1E6282500A929D64C1251B,SHA256=F2ECCF72D8D6A6C22FFAC581467FF22B6F703AB80FA0389ADEFDF720CCCF066D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:20.648{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51696-false10.0.1.12-8000- 23542300x800000000000000086007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:23.318{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EF20A0E84B1FFFC3FB32F09B20EAA,SHA256=D6A5576F684E65BC2C8B04AC030F0756F29B74A371E9A30ED67E5EE77E63CB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:23.116{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:23.116{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:23.085{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2D8F567B2E31D17A6409115A9A4645,SHA256=E8FC0D34694A08D3415897A887EE75BC7E71B1558B24C39F53DB61FB3E9052DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:23.069{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:23.069{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:24.959{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D4B9E1D5850F118985FC4F2119FB887,SHA256=8EF89707863D002CC5508C1EDD7F984ABA178DA4EBADAF64D7E48699F68094E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:24.412{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDBF1904AEDF06548C3A743423BF7EF,SHA256=F9245058169C3F61B0DD5A4C692A05B9ECDEEA78C8379E6697D60C0BCE627429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:24.179{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2EC5F8E8C6DD7BF3F2E27164A40763,SHA256=F72EC3948DB4D9B73B02DE038C69E51D746FA12A1085B8B3070357FD86398FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:25.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7D11492DC6C0726ED6CE6CB87CE16D,SHA256=151181BB664A541936CED1892E237ECFE810F477BAE2BD06E047718919ECF831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:25.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDE8D0DA1B4A9201A077C2B09D60F89,SHA256=491AB9ED8579263DCC4870F898AFCBBBB1BABFA4661625B28E0C2AA244C99CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:26.600{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF116ADF272F0AC91E595D72D8ACFDE,SHA256=E1A4A3FBB01C3F086F6071802DEA90E9E331FDF92CF78C34471814D1D36E80AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:26.349{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68F1A420773690519FF096C7D5BCEDE,SHA256=5034DCE0581CA0F7A8282D5636345333D04B237E584DA32006B8F05CE4D44D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:27.693{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A55AE11AE22C1F4DD5918BF91CA1DBC,SHA256=EF0F51199953E55E00D5D962DDC2306099ACD27E1111B674D426F39D55A2BA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:27.364{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE52CAC8A68EB66FC172D417ADEECB4,SHA256=04F7B996110E4C0B682A88255EB87F787A0C74139A5B6325EB67EC831359F404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:24.983{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:28.787{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE153E1BFA635A55B953C60B87E56562,SHA256=B8FFB9C66CD4DC0C77E27E890867EEC2F22C878F711DFF20DACB4F387604120D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:28.445{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59679E66FE947F826990462BAF53A708,SHA256=45E2159FA85EE3117876E4E1D7DFBB8176B3EADA40E9444E46955483DF8E9DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:25.680{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51697-false10.0.1.12-8000- 23542300x800000000000000086016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:29.881{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD1E711ACB340A4B2BB8030556FDF27,SHA256=83A4073DCB396A64F2FDB65C5E323B69D40239667C394C47B42CBF3BAEFD9EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:29.538{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF2A49AF828453C71BD16E5E08E8B94,SHA256=52319C63751F2B2F32037D3D45263AFC014D1647240E0707BF4F8C43C9879693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:30.975{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86CCB057444AAE663859C6BC447C1D0,SHA256=791BBC7E262EB109FF7B29A8E3798B53FA9C2B027BCD8AE2A0D177AA4D07B427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.773{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.773{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E1930E01197347A9E0AACD12FE6D0D,SHA256=79FC30E54346C54F93481140693B37EDE6A5D7140F91094659128E916AC65FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.007{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:30.007{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.960{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.960{5F3DCEF0-5000-623C-BD05-000000004202}66966880C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F777CC) 10341000x8000000000000000120179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F32A4B) 10341000x8000000000000000120174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F27866) 10341000x8000000000000000120171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66966880C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F23DF9) 10341000x8000000000000000120170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.898{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c214|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.882{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.882{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.882{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244564C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.867{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.851{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.851{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.851{5F3DCEF0-503F-623C-CD05-000000004202}67126268C:\Windows\system32\conhost.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.851{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-503F-623C-CD05-000000004202}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7145|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+56000|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-5000-623C-BD05-000000004202}66967044C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7436c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5526b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.845{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000120139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.835{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:31.726{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC258EFE5FE5AE4B53518CDAFB65E1CC,SHA256=4773D140C953DE5C9AF3A3B13E81971476644BB755E52ABA6A81CDA994FC31EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:31.553{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:30.727{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51698-false10.0.1.12-8000- 23542300x800000000000000086019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:32.068{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF32987F06D6A110BB46279AF8F1AE86,SHA256=6199D3FB578E8D5825A7A969ED97A36CEDF8E558E0D74F2975B3A65746FEC178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:32.367{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:29.999{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000086022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:31.086{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51699-false10.0.1.12-8089- 23542300x800000000000000086021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:33.162{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7B8740F48099AE11E225CDFA954BD,SHA256=265497C31F1E1D46C4E4C01606A5D0C07264410ABD579B6FC42EAD8021EC2BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.351{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.257{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8A0161392E9644261D82D3FBDF46D5,SHA256=0A305C161676E09B67C56E8DB2CF90136B81F677CB26A0FB5FF2FAF9D08D9F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:33.257{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5760684AA1B3A709CA6ACCC4500D78EF,SHA256=6144D41F300517AFAEFC36C2DB79805F8A8BE8F6DCF739A1718306BFE969E83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:34.352{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB94BD4A7AB9BF5508593DDEA4C7A2B,SHA256=47A8667B483FA5E505B2A16E413476375AF86957E96B0C4FBB95D80A53E595BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:34.256{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A51BADBE5F0BE0291ABCB0DFC99D6D,SHA256=417928A4E79BEF1F3C542094A2BF8B56925602AD9E4A15A42505AECE2B5AA024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:35.446{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F426F24520E953B3F32D2279071D9F,SHA256=11551CA6B07D39EDD7A9E52EC7FAD0CEA0F1CFE6F1657D186DA4BE6617BE41B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:35.350{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A061FA490259CF11CF6BADD2AE2314,SHA256=25496B9DDD394C27499C592A553FCC5223563F21B3C0B29D4958A475D1C8DF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:35.274{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=90C4436099900B9D0DE7C15DB4576B1A,SHA256=C87BBDA5D427F030D75049E015FC72BAEA4A026EFDB7E6555B3BF3DDF5EAD9E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:35.000{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:36.539{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EF46FD83B458058445C87CA3D0A575,SHA256=A7BF7D70976D2EE48946782C9276AB7518FDA5B8730C57FB0043BF0342C3718B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:36.444{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DA4CA4EE7362B3F6F0BF20707F1479,SHA256=5FA3D13B253A5E0440027E3974ACC14E0B8F817151F389F482C49AD0E6237CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:36.055{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:37.945{5F3DCEF0-286D-623C-1600-000000004202}12606864C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:37.945{5F3DCEF0-286D-623C-1600-000000004202}12606864C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:37.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9DB545A2C3F1B4EFFD6D683A217349,SHA256=B2C60431291D16E47A2D5A82A00F1FAF5996DF88C1C4461D3D9597A6EC21E916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:37.538{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3926DA3A598561427E0577D4F795498,SHA256=64DDAD31CF11C93B9921BC769A320625417057F2FF1F1E412F11BA55014EB9A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:37.195{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:38.726{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF44744C6285C0653248CB1213E2C0C,SHA256=A5911AFA561E5CAEDF424B23B3FEEA9C00D61361A1699235367EDEA1F0D33A63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:36.618{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51700-false10.0.1.12-8000- 23542300x800000000000000086027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:38.632{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567E74D5052BF5E0C00B408E7DBE2D14,SHA256=9C66217BB7D63705EC7C5CEBC416E74A0BCAA39C4E8B6D7659115F0298A928F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:39.820{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2501541CEC31735AF4EAEDAD934423,SHA256=35B5865C93CAB6ADFA35DB81F78133A66237C0CA28983567F1DC54EFD76A9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:39.725{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9F9444E248778A0922E0B68ED73C4C,SHA256=8D6C04B4B1240C5FBA830D88EF8C17B0F43DA9CF63D6B74DDDDFD6E95F0D7055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:39.195{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D0B7AFD5768660DE1E8B36E22EF1AB12,SHA256=9A2C4D2F819DC7A4B5A391B8A95F1050DA17EB0B3474ECE1E0D1155789B977BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:40.914{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA52E5C1C4ACA4F20862ECA44FC1564,SHA256=4A861A8041BD965FAC8B06CDA9582C2CAD3945AEADBBA8A0C5F6C4018DD84378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:40.819{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71311F917E48376DD51BC922DF1A5D07,SHA256=6FE745301FA71F4DDAB3B3DD5E78A8425EB4F88C83A305AD4D48D329D163625D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:40.382{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A20BC3A9C78330116ED0C508F1042C1,SHA256=D03F936DB0592AC92FEBAC7645672890F71DDF3CD012E9C1082E677FB23F61FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:40.007{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=625C0578CDF70C7A94F5326BFAC017CA,SHA256=CDC3662BD9DD6F8776129CF1B0E84E8A0F4CDB525A2AE8815507985F817D3F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:41.915{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A0C5F775D382895F7DBDE931A02F4,SHA256=455A1550560590F6DB9FBA06AFD178371AA6439225B03350181677077D53931D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.820{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.304{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:40.780{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:42.351{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A922738937108C85415DB9CEB299A6,SHA256=851B563C052C42375239B7DBB3D62DE9342F2586995B2AECEAE020A7519E8603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:41.562{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000120238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:43.445{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1F0E46665DA4A495FDB6F219B47648,SHA256=C1DF97C3658E7AD743AE6D8D64A0803B97890D4E0196BF433658F2C70A073F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:43.008{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E8DF1B70D35E2A4D6809F3CB90D432,SHA256=DC932234E4510CB42F37278B8C5EEA3CCD360046624187679624536B8BE3839C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:44.539{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402747D6FBA473E929261C64FA198106,SHA256=0405599169F60B3CA15EB3236901B7E75954DF3546F18D57444064AC85A8D833,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:42.635{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51701-false10.0.1.12-8000- 23542300x800000000000000086035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:44.102{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB39E17B66A09A9162062969579073F4,SHA256=846E75954D0C99A698091FE6EC794840B21F76AE9F0EEE454E4178A0DCE313E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:45.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46EBE80C641C243677E46983E6BC806,SHA256=8E43B520B30C956607E54D88B6C73AE1BED8C56F6D560A24D53CECDFD1092836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:45.195{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DA5B43CC152199A3AFBB83531873A8,SHA256=D9E6F391B05E713B734A78778619C1BF0901D924129E9D4DF69BDA67B15D3FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:46.726{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6B51A022B501E3ED79623C681F9950,SHA256=277D19FC9F1577993E2E21CA39FA976AAE13E7C5C682A85F62A9502E6C126E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:46.289{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC477E90A7E797CA7C9583E4DF2102E,SHA256=D87A83C4CA97556AACF80AA2D7801109AD83756CB09CA7B8EFD759081EFD0C0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:45.858{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:47.820{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCE9DEA6483E88CE43915D07FEDA3DC,SHA256=5BA06C6880311648AA79C3894444AB5994A958704D9D2FB6D3D08BAE6CD1B462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:47.383{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89DFB749DE7D9AA47A4CFAB20EF6D6F,SHA256=B1A54AD1ACC330B928087B43343ECB360C967CC351AD993E7ADAFF0E77041AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:48.914{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01896E3E2A26A35F8C5ECBA76ECCD9F0,SHA256=5DA2723641DE8FFC48EFB67C7186BDDD0F50C020EC027F977262FA170D7B14F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:48.477{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7183FA54AEAE221A8BB33DD1D61AD6D2,SHA256=33E2261BA81D138683D14A97FD2DB25375F65771C8F1E4C6F8E3783B3D62FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:49.570{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC1A75CB5001C304B3BDAEEB7BA2AC9,SHA256=EE8B6ACFE3567B8348CDE19EDCEA358C541946CC59FAB7B8F82E8148F0913C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:50.664{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A08904DD6C27E53B37DC3398D56CC9A,SHA256=169D627D70712B673241F0EF326CB29A0AE3CBCAEDAE5CDA9BEFD08A7816B156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:50.164{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-284E-623C-0100-000000004202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000120246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:50.007{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1F5F61E36890F6B274D5C2C4E20273,SHA256=EE33DD2F4EB4FDCE555FD302BFBD99085FCF76B31B8EEC5B70A23FC99F135C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:47.776{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51702-false10.0.1.12-8000- 23542300x800000000000000086044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:51.758{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF06A0751442D7E61A6216E2A2C61688,SHA256=8D7106FC2451AA15546124FAC24A9612759AEA019AABC2B33A3B74B2106C6444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:49.923{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63342-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000120250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:49.922{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63342-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 23542300x8000000000000000120249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:51.226{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887C387B881F3E40FD25318301C7B389,SHA256=0C1AA0CDC1DD6C517CF505EFE5EA757BFD6B1E4CD94668496EF258F25D4FC3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:51.101{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C223007B8D981A502F0205DE94BA43A1,SHA256=F468C9BB6C90B584C82E7F1994E13910572D4D71BB19B4814609F91D529362A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.852{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C8886C5A35AD2CCCDBBD1CE098D94C,SHA256=900BCECFBE49B453CEF83E5A514F3189F5F6815B0C1A07F1491013B8B9E1CB4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:50.876{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:52.304{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBD2070FF5AF8878D0FF53A67A076CB,SHA256=534AFADE85114D0F433AE3E37FEDFEF95E8BC49A1B5F3F32DC5A05FAE7E4921A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5054-623C-3505-000000004302}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5054-623C-3505-000000004302}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.289{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5054-623C-3505-000000004302}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:52.290{9531C931-5054-623C-3505-000000004302}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.945{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCCA72E876B85B7A6703107AD1C7313,SHA256=F29A3590F586A26F6BB606EB96DFA461FCFAC0009CF447A40702D79C2F6DC5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:53.398{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD2084056FB76D4EED0B7C7A3360480,SHA256=D58EEE7137F90686DADFDC3DE8916455B85D0743255F24F6DA326CF2637F9DDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.477{9531C931-5055-623C-3605-000000004302}29721344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.399{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBF3B84BB6DC74C75A24DFB1372D7905,SHA256=10D6F01C9A7D241580B0FB22C13FE0FD7B3E0A68A307306FE085EFFB152262A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5055-623C-3605-000000004302}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5055-623C-3605-000000004302}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.180{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5055-623C-3605-000000004302}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.181{9531C931-5055-623C-3605-000000004302}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:54.493{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC72C076256079854CCDFBC5750F9B9D,SHA256=4B79936D204831CD73A7EB3340A94013DFBD0E6F0A6E5C35E8BE5F41233050E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:54.089{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-165MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:55.587{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB2827722326B4E5C03EC665FB5A855,SHA256=5EF2DCA29408EF2A7709D0B0BB8FFD6240EA02D5A798CE39830B99BFCCD00AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5057-623C-3805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5057-623C-3805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.948{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5057-623C-3805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.949{9531C931-5057-623C-3805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:53.715{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51703-false10.0.1.12-8000- 23542300x800000000000000086091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.117{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1903D3FE4050D1E546EFDDF0BD7C6D4A,SHA256=34CD44B51A8AD7A70A3CE9238C8FE1B3AD46EEF7ED64F6A1D4AFC0204BD2A6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.090{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.057{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88236E619A074A59360464E4E933EFC0,SHA256=2A55362E350EF42A7A5E1550E2ED930BB5A6E71F56801692DB26F56FD7A51DCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5057-623C-3705-000000004302}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5057-623C-3705-000000004302}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.025{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5057-623C-3705-000000004302}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:55.026{9531C931-5057-623C-3705-000000004302}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000120258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:54.785{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.231.12.44-58668-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000120257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:56.681{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7955E296C21C911B6C9CF267B843C55D,SHA256=93C38A09EAD2512248AE1B2A103F3427E3B37E73F6D65C8E99B65D163C115314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5058-623C-3A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5058-623C-3A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.945{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5058-623C-3A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.946{9531C931-5058-623C-3A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000086121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.711{9531C931-5058-623C-3905-000000004302}27723308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5058-623C-3905-000000004302}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5058-623C-3905-000000004302}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5058-623C-3905-000000004302}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.448{9531C931-5058-623C-3905-000000004302}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.445{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D9B6668122C8C18608914742D05645,SHA256=45AFDFEECD168F9B6A6A3D7558663F1C540ADC6EE532DDD63502A08E881DFA9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:56.151{9531C931-5057-623C-3805-000000004302}432728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:57.774{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D69258E753CCE425AD6678769F66869,SHA256=E352C43708D885DA0FF4DD2F7B152180C1AB21C959D60975AF087A4592F6D3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:57.586{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC0305C257765FCA3FAE38F9CA96F1E,SHA256=CA2F985DF07B0CA0272674FEE346CF0123718C4B2C7CC339E84F1755AFD04A3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:57.117{9531C931-5058-623C-3A05-000000004302}1876820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:56.891{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:58.868{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D78E9E38CC16BE4826B22877E52F7A6,SHA256=F104C3A54CE036D7CA410D568EF55B2DCCA5ADAAC1B32488ECF948C9D8430D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:58.695{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558AAAC113E203115ED4BB3DC346594A,SHA256=CD6B3202A86249BD30E9C3BB266D00BAC88529B5E3A0F4D5C712C5479E1BD411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:04:59.993{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248E2DCF7E87E753F77F66A7C8AD2444,SHA256=4621681AEAA8BADB8710ADF98F76C6962B206F1E7FE0E96FBC06947333D938DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.789{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2EBAA70688803519BCCC17997F4940,SHA256=D6C3795AD3152D093E12798C4C9817A5D5B674557E57B3C6D27C8C10D7C7EC48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-505B-623C-3B05-000000004302}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-505B-623C-3B05-000000004302}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.320{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-505B-623C-3B05-000000004302}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.321{9531C931-505B-623C-3B05-000000004302}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:00.883{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5859F09A5A93F983D57F52805CA70F8F,SHA256=80995745E2A2526D47BC4F996442EC1431AE5A7EF59A3E17A85992CCE260CF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:00.414{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA79AE9169170FEFDC1AFDE86776B36,SHA256=23E1D4E4D52BC2889A175B5D9211D34B9499EDB9EE3C78E0563B69E733D7E935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:01.992{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB4BCB7175838050FC524274970642B,SHA256=94F49940539C17F3FB1A09CC6E23850415956EAF85F04D3ED1A9E8AE5CFF3AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:01.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEC8989D52FCFE729EBFF1328B574EB8,SHA256=E12E34075E7AEEDBDB1223FDD9E3CAE6BF3591B729CD0FF04B0B026DA7E99A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:01.102{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C85C282C3A8A4370D2DA28F5D2C19A8,SHA256=A9673E4C9E3AE6C5DB5265E1A30175F4BF92D36BE6A7FE8E2F02D660E367679E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:04:59.650{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51704-false10.0.1.12-8000- 10341000x8000000000000000120273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.774{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-505E-623C-CE05-000000004202}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-505E-623C-CE05-000000004202}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.759{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-505E-623C-CE05-000000004202}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.572{5F3DCEF0-505E-623C-CE05-000000004202}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:02.196{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CC047E8BA63D8B34FA7C784BC3F27,SHA256=44D475551E4B35F7075AB27C0F6365D8536DDA34094EC2AF7B12A55FED206D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-505F-623C-CF05-000000004202}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-505F-623C-CF05-000000004202}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.524{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-505F-623C-CF05-000000004202}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.526{5F3DCEF0-505F-623C-CF05-000000004202}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:03.290{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F0622CEAC2C3932057FB2A5EBEFC0F,SHA256=2B788D400B1EC1304E9C20A571A540ED00E50142A9FE4333631A18ECA154C9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:03.086{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC193B67AA2B0C4C23B03A545AD0D8B3,SHA256=E9B48481C4E6DA1E8A853A21E22828B99B59CE8A21911648BD575F3D439D91BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:04.180{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4555F6B46F4DFA346860754A06A42AD,SHA256=4F57A2DA483209FB42DE88A9E0D328E9153B79C243CE897DF73058F90157CB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.384{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C74725875D87749A4D343651A17723,SHA256=2913B76ADE893519D52777CCFCFA248F0C7C1BBF3FCC745057A3EFA974D88317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.212{5F3DCEF0-5060-623C-D005-000000004202}40003188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:01.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000120290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5060-623C-D005-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5060-623C-D005-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.024{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5060-623C-D005-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:04.025{5F3DCEF0-5060-623C-D005-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:05.273{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05518E0DAC80E6648BBDA29869545E17,SHA256=501B6CDA2BBE6F04010D3256A7F3838CE37021BDC215FFA156F23A5C864BA5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:05.571{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1967451370A38ADE70B0F2B8166E5AAC,SHA256=E577B5574DCF9F48FCAA73558413329F97BDB23FD379D80BCC3F207172F34B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:05.477{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855030DB16F62A7F70F7AC82B4203571,SHA256=105DE965E7C46BD3C5FD8AB0317B4445E54EE2761916818C9D7ADDD40AD9746C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:06.367{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B6F6FE72F6711C1890F8D4B6402E6A,SHA256=579986DBADEAEB600F02A2CA069AD43C78C6A383164B87443979EE8108B4A154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:06.806{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:06.806{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:06.806{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:06.806{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:06.571{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479D3C664A66D96BB264A42D86905CDB,SHA256=4498367620E9D3B03E8F25E77F5D4EA35DC131246E3ED112ED432638D32A14F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.666{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F27116C3A26823A78CF127E6804C258,SHA256=78975A8B0770B5FA5BCE506E1D594B9294EA0BBD5DFE6FF440873663CAB8BEDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:04.682{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51705-false10.0.1.12-8000- 23542300x800000000000000086160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:07.461{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D12A2FD9FDF7ADB6849F55A4A1D1C3,SHA256=D275D5B5B2D31D4950693776A068CB3EA1D36AFA84DC1801A5989FCFCE99DBB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.384{5F3DCEF0-5063-623C-D105-000000004202}22761972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5063-623C-D105-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2705C1166D242C77E450B46812E80E90,SHA256=5AC5B35297C91A76D227ABA19C66AD9198670CFA785FF84A3FEB8C0C1B189D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-5063-623C-D105-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.197{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5063-623C-D105-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.198{5F3DCEF0-5063-623C-D105-000000004202}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.138{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-165MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.918{5F3DCEF0-5064-623C-D305-000000004202}49446692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.762{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3A1D5CE71ED6798EC069FBB39CBD27,SHA256=43FB8D7D4846A9EA132FA6C3124F80DF8D0A3D77C0EF290CBC5D8DF6CC70DF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5064-623C-D305-000000004202}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5064-623C-D305-000000004202}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.715{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5064-623C-D305-000000004202}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.716{5F3DCEF0-5064-623C-D305-000000004202}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:08.555{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576ABE36AC26ABE94FC95C5E90237045,SHA256=AEEFA24FB6396A66745872FAE0E7AA1C51AF38E181A9446F0C58B91B2189E5BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.414{5F3DCEF0-5064-623C-D205-000000004202}60564820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:05.891{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63346-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:05.891{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63346-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000120321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5064-623C-D205-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5064-623C-D205-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5064-623C-D205-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.196{5F3DCEF0-5064-623C-D205-000000004202}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:08.136{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:09.648{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A065D51A48DF4597DB60187356F8747E,SHA256=924835827265D67EAA1AA6CD8B9D496C59CBF9BAA0B0009BBC9E401E92BF4185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.746{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D15829BF065AFC0C7C0DA5C8E737DA5,SHA256=124CF6AF682571A7C1B7D378574ED9E0D53B3AC22CE25C3A36B4478F5A8001B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5065-623C-D405-000000004202}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5065-623C-D405-000000004202}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.387{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5065-623C-D405-000000004202}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:09.388{5F3DCEF0-5065-623C-D405-000000004202}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:10.742{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BD9A84904A02B635E1A35623E45AE5,SHA256=B1367E3521120EEC7DBBC862736EA33580215D2409B08A3566E6FCE3CA03299D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:10.840{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F779104C8F5F7F90FAE358721691F923,SHA256=34EA6256F9297764D8E08E67486118B09A0341F2509D4E7A8347D36753BFCE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:07.921{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000120345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:10.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:10.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:11.836{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39A849DE6870CD1FAA462EB062EFDED,SHA256=5651C11268663819CE1BE7B174538412A057C0D69E642ECCB1DD07D10B317446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:11.934{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B652F16838CAF19B406992D3EEC8222,SHA256=44530D4FE4DCE5C9565B10D554E8EF2DFA96F9502B192D283BE3191AF9ACDB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:11.340{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:11.340{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:11.309{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:11.309{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:12.930{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EEBFBB4571D5EBE1EBD98D2DBB8C1C,SHA256=B891D964D79DC300DCF2772385A3FABF2772F11BE90CE3851CDE4C9745D1AEAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:10.650{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51706-false10.0.1.12-8000- 23542300x8000000000000000120361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.888{5F3DCEF0-503F-623C-CC05-000000004202}6868ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000120360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.293{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000120359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.277{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.277{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.277{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.246{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.230{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.230{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.230{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:13.027{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB90844E1DC7D21BE2072FF0868318A,SHA256=F590F8AB3F48977EED6B70A20821A4AE302DB18D47D3612200C84B38175E6520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:14.023{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325CEB1E2D23E382FB100393AC4B670B,SHA256=97952168C8287DFB2B54D1E90B2D0D607E9E259978929DD3A7894E35FD5FCE6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.039{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63348-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.039{5F3DCEF0-503F-623C-CC05-000000004202}6868C:\Temp\doublezero-cleaned.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63348-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 22542200x8000000000000000120364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:12.277{5F3DCEF0-503F-623C-CC05-000000004202}6868win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 23542300x8000000000000000120363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:14.152{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDD24A6438A453D0BF247335EC45554,SHA256=8F5B8809DB72DA01FA04E6EE354E356DCDBFF36E53F307AA6F32239C3A38B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:15.117{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F296D84590BF93A67B611FEF833CC5AA,SHA256=FF60C8527AC14227F3E57710AB2C2F00DACB4D2C1050A5A2B42BE23BDE87B561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:15.246{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7442EDA06769C15512341372F8092891,SHA256=153A0EBB5E35AEAB6E33DB5431221A1E3E6AF96DC8463C9FA82B4FB00366D95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:14.895{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse151.67.24.35-1275-false10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal3389ms-wbt-server 10341000x800000000000000086173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.556{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.211{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A87E4FF449B718E4081680E453DDC3,SHA256=46E48CA067CBFC5EA7843EEDA667312FDB7761B8EE750E018FA10C3A24CCD203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:13.969{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:16.338{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA814BBE0F74DE07BE6ACF192B96C923,SHA256=F5BB284EDCF4BFB5F27C9ACD7E066114FC220EF17A0851EEBF9307643B070124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:17.743{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E831E395B56DE285770E30E910FDAC75,SHA256=6391984B415F16C61F206618A5F009B97D9A03A3DAFDBB9FCA34C8B912DBDDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:17.306{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF28C5A9AC0A7606D8DC1415122F5352,SHA256=48C2824651F644E3FFBF8DE8A6EF389A0E6C487C12ACFEB8E459BC909DDDB3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:17.432{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78F6C5BB6E0C52A3B3DF59997AB06AA,SHA256=9281C075FA95ABC17B249C8D8D31420A930BD0B3193EBD99F4D431030735E4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:18.541{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E93BE7B450A08F12E151E22A58E19F,SHA256=4BA71EAAC0B4B68376A0210AB54FA66A5660AF397680712EC7111DA68E848565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:16.328{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR57859- 354300x800000000000000086182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.652{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51707-false10.0.1.12-8000- 354300x800000000000000086181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.132{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal57859-false10.0.1.14-53domain 354300x800000000000000086180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.119{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c830:da4e:8bac:ffff-65124-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000086179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.119{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:1431:b7c2:78c:d77win-host-tcontreras-attack-range-971.eu-central-1.compute.internal65124-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000086178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:16.119{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c830:da4e:8bac:ffff-57859-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000086177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:18.400{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970D4994EAF4393362221246BB91690B,SHA256=7126A33A0C553A1BF3D28FF43B7FB5C77F4E689D5FBA5C1E6229517E60914DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:19.635{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8154DD806EF7908BCD9EBBAAB60D8D59,SHA256=FDEED02CFB13E2BB3AF135BAAAFB185FE5D2407CECF825D544E323344AF4F7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:19.493{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4BB3E20CD847033491E48879E691FD,SHA256=F4BF7E48FF65B746D2FCA037C97D7ED0DC0C927E76CF0A5860C1CE8AD1D5A967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:20.728{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3D8EF83AB25E7C49F6404D67B8196D,SHA256=6E40FCD28CA2CC7B32AD6ADD90B7A90A9C6279704CFE9AF3F5A84FAD9C7F8D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:20.587{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055759AEE49C1F27B863C0E44653B5C2,SHA256=354153B74BA0616EBD2300874D944C193FDC83B4A2F06B56BCD04A30B906CBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:21.822{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5986E49FCF64A68AC2EBF4913878722,SHA256=FA4B62196B0BB0C8C855A2DA7AC417D04F764C7DB054BB21B297B8A3BBE597DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:21.681{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DA7541C262E6179E2225DB8EAC759F,SHA256=D2BC597626BBE235AE8BE77C934FE869E4D15B2DA21E876FFDDB358421AA6260,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:19.829{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:22.775{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7910CC55A0466E926B2903673BB2DA5E,SHA256=7BF5CCF92F2EE53A3F13ABCD655DA9E579CAF996CDE93F74968B4E09E9C17745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.916{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EE5A3D1ABC93B10BD1EE800E022A59,SHA256=1BE7328E0B0844142D4E658F472E8EA06F2059076AB1DB5DE09AA3B3C288B61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:23.868{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1803F5ECE720B204B257C76C4D818A23,SHA256=6BA1E46BAD104F7DC46E229FD286096FFC108C16CC01DA7E86A604628CB3A590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:23.228{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-284E-623C-0100-000000004202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000120379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:23.119{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:23.119{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:24.962{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA63481B0540C09E4A06BA131A5F7E26,SHA256=051686C4384AB8924AB212998E8AE018860B412947F01EC0DED3C2FB00E94029,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:22.589{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51708-false10.0.1.12-8000- 354300x8000000000000000120388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.992{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63353-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000120387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.991{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63353-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000120386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.887{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63352-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.887{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63352-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.879{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63351-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:22.879{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63351-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000120382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:24.150{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDED11751534919BBDF209B4DC91E206,SHA256=32EF318DBE65D1A1C3039826E16E6520B74D4F91C4A06A6F8A32E2AEED1A9AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:24.010{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A312E94C257C0EA843DDE5621B993EA9,SHA256=1E30542ABD32BA2142BA8043E0921A1CFDBCA466063B6794EBA8C336F4D23EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:25.103{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE83BFE049678809F5C8BED9674239FE,SHA256=889978216C1B9BCF1B26EAF4C66F928F893D4AED9577C509F3199836E06BD1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:25.321{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=45EFEA186EFDB5AA6D9678D9E9238938,SHA256=1862EB45541F78F998C12447D2D7784B66B2ACABE974B3BD6AB5DA86D246F729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:24.907{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:26.197{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F0D1404EC4D9309E37BF20F8747208,SHA256=6F105A13EB85F4424C1C3133962AA1F1BA6DF99107BD7F6EB8EE5C1BAA7CED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:26.275{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB05D823E607508B1713CF49CE2B3E7,SHA256=4439DF47DAEC776519D50EAD8F7CB1EEA42B3B6B6C6F52D9F495F71DCF8902E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:27.291{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0374CD23D7E3C0300A065761706CBB6,SHA256=35D93AE3CDD539411707BAEB4EAA6BD7F4094E8302126912DD0B54690E26C67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:27.368{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163FB5F5CE592F0B6C042E57A62AF844,SHA256=5F3081ADFE1D7C3188EE158DB884B025E6E3FE72DFE0A9AF4886A87C2663F81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:28.385{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D11CDA906B85621631BBD53AC7D85A,SHA256=EE6778229F7FC718C76CF6B47BD967D00F81DB7FC26FCECC692DFE37895C27E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:28.462{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E88CAF59F2B293FBC41B2804379A205,SHA256=961545CE0675999B67BA5DF8CA838331F4AA66C83970CBC61C08413B4BAE3FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:29.478{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53580DD40D57EED4A60A808BDB6E05,SHA256=B91247C7CC622489884B71C4A9EA217896E13018C8BF0F644118620A0337AC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:29.556{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD544C3B1AC3B888560921019A7A8F7,SHA256=EBF2553E38AE279BF9499A4E02751D1D4E2073BCAD95E44442A59DD4F67AB95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:30.572{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80AB014C1E4AF069DFCA9B845E44E05,SHA256=A6E88580116FEF81B011485C714D1794F57F80D280DA2938C6CC6F017DA3C728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:30.650{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4CDED10BE147A99015EEC279AB8EE1,SHA256=5232E1532B3D16BA0D878D215D83376ECF4E2D31A55EAC9A0452E48CB201E0D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:27.605{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51709-false10.0.1.12-8000- 23542300x800000000000000086198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:31.743{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264D69D18BF80FD9067B5C5B44817121,SHA256=F87D5085ED7BE9AE633F5267163ECDC8DB438DE906BD1EE3E491B05EFCD8E9F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:29.985{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:31.666{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562C9B30F621D58B80B6522A7D70B55C,SHA256=57AB795B0300ACA97DD037C048AD69CB84094CADDA5EB97DF91B576966C8D286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:31.571{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:32.946{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5626A368CA0A9E830C56A8C954803040,SHA256=CFA3FD6A8E788820358D01F303CDFD48B62F75F920CBF49923247BE90A656A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.760{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E8B313D6C1A8911DCD19F17DCFC616,SHA256=249D8ED4F941BAE4CF5C11FB60AEFC3265548D605E0F08BF01C3F25DD4536BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.760{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.760{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.041{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:32.041{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:33.853{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179375B110C5344FD1F199C179DD9538,SHA256=624BA1E192DAE483B55A938D6A7A172A80C9FDC433AA682E1B3F5D9741957193,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:31.105{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51710-false10.0.1.12-8089- 23542300x8000000000000000120411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.947{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A45A67998F1415646C0191894F2908A,SHA256=641086AD6147B72E6898D18ED17FFCC6455755E50B9B98D5F678525E5A3BFD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:34.040{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EE410817189B042E6898D073173F2A,SHA256=82B3C8BF1E08BB6EEC20419A3416AB972731F5C2354A2B0981788E33146B4391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.495{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.495{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.495{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:34.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000086203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:32.777{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51711-false10.0.1.12-8000- 23542300x800000000000000086202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:35.134{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD9F11929761623E07AEF88DC8B582,SHA256=AA09918AD153D42899706232C41CE4FD81A455ADA8D29E3F668D51E6CFF1445A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.916{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A3333029DAB98FF6EE754F885938A1F6,SHA256=7CD570A6AED38F654A0890B2494952D0A8428993E7CF3C17828FB47AC5F82A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.682{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.666{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.541{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.525{5F3DCEF0-5000-623C-BD05-000000004202}66965544C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F777CC) 10341000x8000000000000000120455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.510{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.510{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F32A4B) 10341000x8000000000000000120450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F28BCB) 10341000x8000000000000000120448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66964572C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F27866) 10341000x8000000000000000120447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66965544C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FFB71F23DF9) 10341000x8000000000000000120446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.494{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c214|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.478{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.478{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.478{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.478{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.478{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50241524C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50241524C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50241524C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50241524C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.463{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.447{5F3DCEF0-507F-623C-D605-000000004202}57284680C:\Windows\system32\conhost.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.447{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.447{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-507F-623C-D605-000000004202}5728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7145|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d6a1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+56000|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-5000-623C-BD05-000000004202}66961172C:\Users\Administrator\Downloads\dnSpy.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7436c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5526b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.445{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe"C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000120416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.432{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.088{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8603F30A432557A5F0F5EDDCB0C2C0D2,SHA256=62277A310474FE04FCC13E0187F5BFDD1FD10E0A981AC49C840E6A5A3E4DA5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:36.228{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2621960A2C686E18C6BC451DD0436753,SHA256=80FEA6EF3C58150BE3B90815FB4ACC699428501081408BD8223FEB47573890D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:36.244{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EFCEB7567FE6F529389AE2EAF326B1,SHA256=56FBC933194B0DFF5BE58CD7B8BBEA87AD2EE8052BB4C923A607CE70EF48B5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:37.321{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8F7CBCB37ABE322CA5B383C9E255BF,SHA256=1E873FEECE54BBA2D251D4330B0FD17FC13BACE8C842976CBA86ABDAE4ADAC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:37.368{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBD51BE0FFBD5BFEBE0BB9D688DB47C,SHA256=F8BCF008E49CF7B03A573114A14D26300E1995D4AABE8D15545EC1F7A0CA8B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:38.572{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9082790F52FE74E75E4199717AAF5AB5,SHA256=B4DE42E0F914292614D311182201A6DD2A56D36B4F92D51185A1856736BAFA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:38.414{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76780F16AEC4C60CD884854110A5F44F,SHA256=3A74596E3AAB8CCCEE1FD3BD0CB263A9E5EDD8444EC40492AB94A3E8459749A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:35.860{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:39.665{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C762F9BE13D1032EB661E4D49847DC3F,SHA256=A37F14C7822FF59C91D8416B76EC5EB3A99FF0B0A4A7714894E1F8F1D55AAE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:39.508{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04875A9F0E4F9F7627DF593B03F2E312,SHA256=35D4C646469038C095DD6DE80AAAEEEC27F4D6D89AA3D547D291654E84D6438E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:39.197{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B60C91009F70335CAE6C89BD89A2235B,SHA256=A3DD756830AF145CA7AA6680A77B260E999076B381BCC3D924A5E7D839E8B0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:40.759{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4461FB28C9C0F382B1071B858D3421,SHA256=DBCC7C4A41DA0CCF52823AD5C1DA8B1D3CA1BDC32AFCD8170E3A5B174EEA606D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:40.602{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF8CF24938D74B69CC1FA8EC270EF33,SHA256=DD52AF912C9F17DF87EB73AF1F054CA614D3DEA1070B1F09BF9B7F7506EC196B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:38.713{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51712-false10.0.1.12-8000- 23542300x800000000000000086208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:40.008{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4F6EE45A9CA1DFC1CF55CA3EDBD5A9D3,SHA256=CAEE4E393BC4A5ED62FA8A361B4EE6666ACAF16334B64A453676DE2CFDA599CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:41.853{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09825583D3A9C45C70771569A2E43044,SHA256=D7A9B18FE78B91A907A510317E81ECF156E7936F1DBF7FD50BCB6D4CC41D9A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:41.822{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:41.696{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A4565AEEACD2F2A78DBDFA1B04EDA5,SHA256=0AF7174434BB6E83A1B24478D2528EB8FBFEC1B2D700E50379E280D16932633C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:42.789{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2717B58107D909E9FF6A063A4438E32A,SHA256=956EEDF372007AEC388E7766EB534E7BB890DF702FD9E3A537E99C2D3E9EE5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:42.947{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C040B196BC0E95FEB7C3C42A87940E00,SHA256=763EA7403FC2AA1609031C71633356318BE6F65A7252EDFFA43641CEE951E4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:43.883{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799A9E990B3074339BCD16B019E4F97C,SHA256=7F0AF3176CE64707EF1742AFFC7142C3F46B63240D82ECD00BCD3ED185F28888,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:40.906{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:44.977{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52E3B932080318D7DC907DF9BC382F6,SHA256=918F1DE8DB94CA4F63C3B5BECCED436A3B76F882B8269291932859D9D2851118,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:41.580{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000120477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:44.040{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1560BF8030F17DF6FBAE432941C81DA5,SHA256=1B036F0858865B343A3856C9C21E59A7CBE1EAF376345B5B126174A3A5E16A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:45.134{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D4917E091F8C36AF7EED7CA44F9554,SHA256=3CC8342B705988E0FF6D1EC9709BD9ED4AE16A74C1402475FBE8387F9FC5B608,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:44.667{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51713-false10.0.1.12-8000- 23542300x800000000000000086215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:46.071{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E52C127ED1D697BF925B1629779715,SHA256=175C775FD2482E591C928F2BEB8324F80B300436D02C01CBC8CD930D3E0DE9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:46.228{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886991ABB2656EB018A5313859339BE9,SHA256=11948E5593BECB33EDFF1613BDF61A54F7634E18282F7B54D7CC764261F4213A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:47.164{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187266BD9D63C2A86A22C56AE3B5ADF7,SHA256=1D0E6738EEA7222BF846C62E13FE8E38182DD74E9D7FDA53BB3074A4DA16BAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:47.556{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:47.556{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:47.556{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:47.556{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:47.322{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8524D3F99145B9EB936A4A1A3E27348,SHA256=FEA4CF7EF10ACE018CFCD4344E4470A9C974EFF70E002470E501B0BC40EFC23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:48.258{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05C871820E69037CE54F1C359A36D7E,SHA256=A3945389E9E7EA2AF4694E3CA2EDFF6BA0FB80FD028D26257871CDD0CFF28152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:48.415{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1E52B932BAAB8C33004107A1314A84,SHA256=3308A00A84446F695A3277DAC07A60C07AEFAABC7A6F13542B813C8C340EB36B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:46.000{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000120487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:48.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:48.197{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:49.352{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EF4F8E7947A28401DC1F7B99E592CB,SHA256=E6CB9B56F9681144108ECE9473D4BB822EB76617B9A3AC5B08E8D474DC1CBD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:49.509{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DF9E691A3556AD9DB15B14AC6AF51B,SHA256=B232DED2CDBF4A50EC55FC8AD31E1CB174044DD292A2D42A586969C0B976FFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:50.603{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA03C029E421D8D61F426B74A1F6A82,SHA256=01395F5D9E0185AB06B30EA86A9EB72528092669ABE190B92FEE9B6CF2384D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:50.446{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFB0DFED7D5B965661B71EA846D5F9,SHA256=B797749F7A66930BA528EB3E00497EF1FF0B7DC345092D1CAB92FB5A95F4A8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:51.697{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AFF69FCD4D138AEA3B8F0FF12B9102,SHA256=BF9FBCF6B60745BF21BB978C4E8BC7BCC9DEE0D99C63CCDC5B71B51612E6DA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:51.539{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D302BD4B2FC0F90D76D89CCEF720DA67,SHA256=55081C96C49E8AECD805E1F0FEF7033940B9BF0872EA2B86B94308B96354B8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.790{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA86282DB999C208B2B511172EB6254,SHA256=A4B7A6302655A8186EE4370B7DC3C259922BF889B74DB5784CCE430ACC85B7A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5090-623C-3D05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5090-623C-3D05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5090-623C-3D05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.915{9531C931-5090-623C-3D05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:49.760{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51714-false10.0.1.12-8000- 10341000x800000000000000086236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.711{9531C931-5090-623C-3C05-000000004302}33482552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.664{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE96CD2C64AF6EC9718F457BBCAE194,SHA256=B6521176A03B102C6A430FCAA98F56D2EB026DD80CB51750A56EA9B8222078E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.134{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.134{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.134{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.087{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:52.087{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5090-623C-3C05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5090-623C-3C05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.289{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5090-623C-3C05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:52.290{9531C931-5090-623C-3C05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:53.884{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC0E380F9D2681F8CB0020791F43C3,SHA256=EF7C6AE495080E468E31882B8BF13BA43438B308AA8FF3E91960AED2A0DC3BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:53.758{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFFCEA5856569DC477E97EF409D2A38,SHA256=B851417760318AEB9A3FA169E0B36DCD2B48389D1DB726ACBB7A148754657F49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:51.766{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:53.383{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78682BA17CA668AEAD37BA007D0EA43E,SHA256=784A914EE0729D449AB6701699FFEBBECC9EC15AAF42A00391096A583D5C3B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:54.978{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFBCC265EEFDAAD2804E487CBF43C0F,SHA256=3310EB38AECC88A20586A0C68E5D0CB316A71F1A3AC4AD6D1A8D85B0B49224D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5092-623C-3E05-000000004302}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5092-623C-3E05-000000004302}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.977{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5092-623C-3E05-000000004302}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.978{9531C931-5092-623C-3E05-000000004302}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.852{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765E99F72C29E8336D8B930124F8025D,SHA256=FB1390D9E03A0E9DAF2D5FD9D9DF920430A1296C1A6CDF76B6E461E0B86903F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5093-623C-3F05-000000004302}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5093-623C-3F05-000000004302}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5093-623C-3F05-000000004302}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.950{9531C931-5093-623C-3F05-000000004302}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.934{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24DC27692C0E12AE389CFC5AF05C86B,SHA256=2217A04919F65438EB466F104B40330B226D11FEE73D3EB5B9FB5A24BA7F23A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:55.290{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:55.290{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:55.290{5F3DCEF0-28A1-623C-9400-000000004202}50243216C:\Windows\Explorer.EXE{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.607{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-166MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:55.495{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=357319BD39E885C8A526E58F6D8A6EDC,SHA256=892F638B083B030E421081E0F3A3D9714616E119C11FCFCE6CE27FA93F6825FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:56.072{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340DA8260A3443781080B8B42E25DD7B,SHA256=0884EC9C085DA35E8A6A864003EF7F2E1E92ADEFDEF36432D8074B9663AD9EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.858{9531C931-5094-623C-4005-000000004302}37763608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.619{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5094-623C-4005-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.617{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.616{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5094-623C-4005-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.616{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5094-623C-4005-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.616{9531C931-5094-623C-4005-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.607{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:56.247{9531C931-5093-623C-3F05-000000004302}39403496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.404{9531C931-5095-623C-4105-000000004302}25601332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5095-623C-4105-000000004302}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5095-623C-4105-000000004302}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5095-623C-4105-000000004302}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.218{9531C931-5095-623C-4105-000000004302}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:57.216{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950C0C03952CF05DEF4060337EEF68FC,SHA256=4D11402A9DFF68D50EC87927B25C5AAE88E049F7D6013F153E24825381F17F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:57.169{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131494FEBAE9240BEF849005251461D5,SHA256=8D886F31ACC7C8B53F6DA92F0E851D39849C1B8B28661501F736C4FAE2C7DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:57.091{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:57.091{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:57.091{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:57.091{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:58.279{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B4954D427AAB8B72713EBD182C91E9,SHA256=A5A3B67251509E880836B49139E475AEF03730645E60445805FF407A1145F054,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:56.925{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:58.154{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9342F3CA3031A89AAC528A7D7867C8A0,SHA256=BDA042FE25CEBE65E4829E5BA4D3EC426B9644CE48D33610193663682DE1082C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:54.798{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51715-false10.0.1.12-8000- 23542300x800000000000000086329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.372{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C2CB4B5014CCB9A040C2698953FC5,SHA256=19DD97C890C01A41D51007D509C07946AD4BE31D7A0ACE245860AF6B8A5AD914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5097-623C-4205-000000004302}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5097-623C-4205-000000004302}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5097-623C-4205-000000004302}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.326{9531C931-5097-623C-4205-000000004302}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:05:59.206{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B856872D9F83248B5651BC17AE98EA,SHA256=C7F4D95B0B09B2ECC13C0AF9FD566C1738683654118E81A7CB0AEA6DD5B0A657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:00.388{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E8D417B4233C628A8DE21A0C3C5383,SHA256=2CC31FD8C9370F0E8A9E2E0F574CA066986A0928BC8FB3CFD6FDF0E14A93532F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:00.357{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105C22FBF94F4CFC23B1F1A0599616EE,SHA256=D28B2A62B0522140A6B0A23D1F26A49D9792E6F3304E6DA3014DC4C9A4D3C196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:00.257{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4859CA988BBFB8A04E47C22FD18EDA,SHA256=BF7AAB4706A13545C124DF565F3CA00160FB1A1040B4CC45A19FAFF14D2068CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:01.451{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1080AC4264D11D86F7198EE9287493BC,SHA256=702571193F040631A4DEF0E37084AB1F9C9A4B20159B0649B830F832FEED1281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.866{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.866{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.850{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.850{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.788{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.788{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.788{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.788{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.772{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.772{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.757{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.757{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.741{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.741{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.710{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.710{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.694{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.694{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.663{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.663{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:01.350{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4E16A26EF0D017E2E79A8584972668,SHA256=E31E89C2D1F66D41E51FEAC24C03D44CE7B8E2620998864183F75A3B6789F720,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-509A-623C-D705-000000004202}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-509A-623C-D705-000000004202}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.569{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-509A-623C-D705-000000004202}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.570{5F3DCEF0-509A-623C-D705-000000004202}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.444{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39369660664243EA2F04CDB2B90C47DB,SHA256=40A54C5C0601B5E29EF61CBFED30B4769D232810C114C8FC9B459FF84F486A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:02.544{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B877386E80240CC2BBC0AAEB7402AE37,SHA256=B46B092C1BFE087BD9E01EB4D282ECBA4AC3E7F7279DCD385D95B2FB5B5B637F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:05:59.812{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51716-false10.0.1.12-8000- 23542300x8000000000000000120554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.694{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF01C4F298A16E18B9DCD9D760A0E894,SHA256=B79FC2B0D5A046B5708251C48B7CAA9E8163B91CF24A71AAF5E179EC59D21ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECF453EAFD7468525B45AC8D9EB068A,SHA256=83F8F1A74F8F9CDE5355459E352D3DB34B08570BCE01A513B14593E8AD1300EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-509B-623C-D805-000000004202}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-509B-623C-D805-000000004202}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.538{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-509B-623C-D805-000000004202}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:03.539{5F3DCEF0-509B-623C-D805-000000004202}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:03.638{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23BD9C0279D8737D443B5F9DD33CB17,SHA256=C11FEEA6D17B288237C7B96DF82CC1FFAC0D23F09425E2D07F431319BBFFE701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:04.732{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D37491D235387D1412BBCBF6840B65,SHA256=903876F7BBCDDFCA08614CC29E61A4BFB6F78BFBEC197B98320B56EA13340FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ADE122B8053B2C7E9808F7FB0A2843,SHA256=4E43C727CFBFACD97A31DEDEB17261EDDC35D6977E59288BCFA2E18E4E14B23B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.428{5F3DCEF0-509C-623C-D905-000000004202}65566536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-509C-623C-D905-000000004202}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-509C-623C-D905-000000004202}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-509C-623C-D905-000000004202}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:04.210{5F3DCEF0-509C-623C-D905-000000004202}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:05.826{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E99DD5ED16900F5580DEFFF8BD5AC4,SHA256=85EA5B0BDB1CF8C2E60441DA64234177BF7541CE45A2736CE81E923C7BB1B4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:05.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8415AA009FCB2789255C792C7D158B5,SHA256=50C32E1239516FAF905A3DF00A09207CCF74E580CE45107944690FB8ABFD8BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:02.966{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:05.178{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=21B6B3414B63CC8756FBE6026866BA74,SHA256=4F294ADED639A629FD03B69DED49AF453757561CD9F2B149B82DB0EE9222A2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:06.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49544E1B40FE411AF97E0353F47FEA28,SHA256=0093FBEA0F67FA3F8FE01B79AD1E400D14B13631CF8CEA4077836A354C8A1319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:06.919{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89A7E8C8C78EDA680FC05769E426E9F,SHA256=5044549BEE955649A1E59446B26962FED3E6014A2CAA901E0251FD479E7D9D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.928{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E416E6EA28B6C2CDA02676635966F73,SHA256=172651248410FF355A245785BAF770A5C8E411CD62CCA3CE1D29DC08417C966E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:05.904{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63363-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:05.904{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63363-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000120577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.257{5F3DCEF0-509F-623C-DA05-000000004202}58361048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-509F-623C-DA05-000000004202}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-509F-623C-DA05-000000004202}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.053{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-509F-623C-DA05-000000004202}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:07.055{5F3DCEF0-509F-623C-DA05-000000004202}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50A0-623C-DC05-000000004202}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-50A0-623C-DC05-000000004202}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.867{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50A0-623C-DC05-000000004202}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.868{5F3DCEF0-50A0-623C-DC05-000000004202}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.666{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-166MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50A0-623C-DB05-000000004202}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-50A0-623C-DB05-000000004202}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.195{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50A0-623C-DB05-000000004202}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.196{5F3DCEF0-50A0-623C-DB05-000000004202}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:05.671{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51717-false10.0.1.12-8000- 23542300x800000000000000086339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:08.013{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41E5593269CC9B1438529F047D2E648,SHA256=42A5E72BB4270A0D05899D1F2B675CA3160A1A7242DA40D0766258EB3ED5A51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:09.107{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321968FA4B17FFCDA3DAC01364BBFC15,SHA256=C8C577B4CE912C77D9FC9A1B64D6D842878D3BAB39C11BF633C4E59F4E6FBBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.680{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.570{5F3DCEF0-50A1-623C-DD05-000000004202}70566472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50A1-623C-DD05-000000004202}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-50A1-623C-DD05-000000004202}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.367{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50A1-623C-DD05-000000004202}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.368{5F3DCEF0-50A1-623C-DD05-000000004202}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.289{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9EACE8EC9BBA9D74CB0068441BF5598,SHA256=6F4156F95088DA07641930B1E0C5E462972275A5F47D51875F1D71F1E6654F4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.101{5F3DCEF0-50A0-623C-DC05-000000004202}62527084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:09.039{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EDAB182F2757CE6B7DC9CC740D5BB1,SHA256=B2D3C26C956E3E6221F8B599525DD80E837602648B2A7D0D1736E7A207A3A9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:10.201{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C64A6CB927A6AA2308F345486322F78,SHA256=1898EB8A972BDCC1524E8B284CF8F2E805425EBB2D502AED31DEE1DC7478DAF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:08.935{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:10.115{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2950F6B2B8AEE887A99296FE39B8372D,SHA256=B1FC904A44A9AF05D72748420B5B9C59BFBCDE726BFC3C8D62AF2534CE13DA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:11.294{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2552AE9DDA917DFCB161A46C1ADC78,SHA256=434BCB686F3A026359FAE8A1C115D47A5B86E4C34D73537639C951A5BFF6F0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:11.212{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F93F2E1DAF95944434EE4281CDBA788,SHA256=0BA769AB6BDA3FA1B21E684BD6CA3B8DB3C718A65B2E239DF7F03AC1B52C800C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:12.388{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95700D195A481EC3ED14D7551574B79,SHA256=B63AA24530209EF7D569DD4C7D6B8FBB7DCEBF9EBCDC55E3EC5D1D2A55CDC38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:12.306{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC00B262E37C7B05F0B83F13EE7877C,SHA256=EBCC5937E5745EC9142EF128400F8FC9A03474BA9879B8FF34B35F8DA560CA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:13.497{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D72AC6912CDB90077F74FBAD405C9FC,SHA256=9B13E51390F102BD50138F328AFBF4CC91D8BDB42DBEEB46859784AC2043F2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:13.400{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF74E9E9877CFB0FA6CE91A45EA1E46B,SHA256=C8F4967A4EA0B31DFA82FA1EE2D7DF56AD99B680104F69D08CC5608DAAC63B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:14.591{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A49B17C42A3A8DF9CA2B887E67021,SHA256=7BB5930F23C114483413F924A708D2EF3E49FB359E328FF22B3615735A524983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:14.494{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C43CBF8EDD00E706C35DDD74BEE522,SHA256=FA3EC09B9DD816F1B9F1A87635886231B810990A12748B6DE67E91DEADEB40F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:11.609{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51718-false10.0.1.12-8000- 23542300x800000000000000086348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:15.685{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E67613263CF19CBD9BB0AB9758371AE,SHA256=E0D3A6F47FAF5A36DEF642E7B5E05CA2E4AA99188BDBC3E8FFECF5D8528F2168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.587{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F87B67D277BF4A61D06B0419E85733A,SHA256=5529CC2337CA77F6EAE7799424E28B5E771F243F557709E81933DCCEBF76082B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000120629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.540{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000120628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.525{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.525{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.525{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.509{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.494{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.494{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.494{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000120621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:06:15.197{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 13241300x8000000000000000120620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:06:15.181{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Config SourceDWORD (0x00000001) 13241300x8000000000000000120619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:06:15.181{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E24E79DA-871C-4F1E-B921-5D1DF27ADC35.XML 10341000x8000000000000000120618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.181{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.181{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:16.777{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FB96BC73A39ED9299C2D2ECE00EDEA,SHA256=44CCFE34044F4CD79C8972F58AD11C8B991F105C38E944BE2A06B6378C731A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.887{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.887{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.887{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.290{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63367-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.290{5F3DCEF0-507F-623C-D505-000000004202}3180C:\Temp\doublezero-cleaned.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63367-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:14.939{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63366-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 354300x8000000000000000120637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:14.939{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63366-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 354300x8000000000000000120636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:14.000{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.574{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05D5CB42141620F9693376B5FAF4D89,SHA256=A02A422156F4335542245F85C203EC9E0BD38A39A93720FF266F57BC5A0B7CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.040{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.040{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.040{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.009{5F3DCEF0-507F-623C-D505-000000004202}3180ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:17.872{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955C007EEDEB50A54DC23115120EDBAA,SHA256=D82347ADFE2694842BA1CA834A2135D88E89876EE04BC1D70D360F35B1502CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:17.668{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215A7DEA32104842FF10E53FF0AE2FE3,SHA256=24EA9F4940722224FFDE7A7F6C84E0A90B4489486CAF281A281966D44B592E70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.796{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63368-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.796{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63368-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 22542200x8000000000000000120647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:15.528{5F3DCEF0-507F-623C-D505-000000004202}3180win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 23542300x8000000000000000120646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:17.074{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1BD7DAA8D6A0C40EC909BB53E5D366,SHA256=19196FC6CBAADDC073D3F9879BA2789E74703FCEDB327856F23E12BDB90A4AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:17.043{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:17.043{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:18.964{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBC871DA46F4375368FBA0182805BD6,SHA256=A0B91D71D68E135FE8DA30065B9AE31A1BE9525FF0CF9704F835685661B815DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:18.871{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601C9665342114461893C674EEB771F5,SHA256=77FDD052ADDB35C99C59BC57B4F02B305202394FF8F1EC119B5D29513E7E5CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.643{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63369-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:16.643{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63369-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000120654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:19.965{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8D3A2DAE0623A14C3A14F43B63A30A,SHA256=1C62D379A6270DBAE3AC06F63C3B37BA87D10874B9781897E3ED293B5C649173,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:16.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51719-false10.0.1.12-8000- 23542300x800000000000000086353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:20.058{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76916A8E8187596EEA743E8EDCBEC07F,SHA256=FEF71E9FB03BCFCD5955F5BECDB2CAA94867404CCE1B2B9D4D44B070684A7157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:21.261{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75742BD1D897FDB720EEF8343D89CCEF,SHA256=74E9C16CE08AC60CAE500DDDCE0A4E2EFDCA395F26624154CE4ED3CF6F879932,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:19.940{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:21.059{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F111943B5C7BB6B8C100709508A3020D,SHA256=26D88D2328849448711D2DF1A7A01AE3D6CB043F281C882BE86CA85D0CC4D156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:22.355{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A136658261C694F52EAD26E9DD17C35,SHA256=1AD8F5DCFBA60767C22315430AAAEF1BA7A1D070C39602B3D1738E7D091C36C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:22.152{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9381250159AC434EB863573DAF7EE184,SHA256=3C1A5501E7CE5D6FCA73ED0895AC83BE5F6E1A68F825437BC700A7B518DD22EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:23.448{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F4263BAF0C2A426B5D04E77DF5CA14,SHA256=C65089E0760582F5BEC883966B42001D2E0E46671CB3DA87B6BC26D74F507CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:23.246{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022DDC99C864E28F52CF6403BC676641,SHA256=21E065BF505D3F92E4620735035912DA183F1D89FB2CC173D194EEF15F8DA484,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:22.607{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51720-false10.0.1.12-8000- 23542300x800000000000000086357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:24.542{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2BAD4C6157BB06C34F22F68864E04,SHA256=C8B967718422AC8B563648C0655258FFDFEE1E0AAEAEF1DE201845417F098A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:24.449{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3C21B4DF038A280FCD876ABE3B3582,SHA256=607A6AB066DFE2B1DD32104EC501BEF9206EEFD8A27AC7C02F583733B2581B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:25.652{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=850DA086F49847014763F00A3BD30A74,SHA256=19B39F8DF9D53716F5F807AF6C8B2934B2A8E35661EC403AC1106529E25A089F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:25.636{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A07A5DE3AB2ABA9925B2399E593041D,SHA256=274E962662E184A5C7BB7E3C8085635FDC9895EB2ECA122E7BF0ADBC5A59CC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:25.559{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C89D72A965472D357CC9B995C5FFAC,SHA256=DA2EBB29570B21BA58CB1A1AD247A48EB54C480415AF28C8E47D0ADAF4AA4DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:26.730{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC857D1D7C446D08AE81C132002334E8,SHA256=2F766EC3F82D6D4AD59A9849741C05E856FF060F7E8A5E4FD87141F2CDF689C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:25.002{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:26.652{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F631938630B67EE25E794653309DBE3A,SHA256=C3A7365F50317EE6213427F094B9E6C71D7B5AABB29AF63E7EF5B4196EE5387F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:27.823{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16884170066E0B35CC0841BAA7E21362,SHA256=6D4DF5C6FD5E3961915988861D7A972976CBBFDADDA9ED11A5430D5D072C754A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:27.746{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226D52E889C90FB7686FCFC1FB7E6F4,SHA256=9FA2AAE8833EA0ACBC63F110019DE018AD83F91C6C7AA8F20452525D7C9E3DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:28.917{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F93D27038F2F7042FD30BD7D57CDBF1,SHA256=B6D3C2837C58C8CC04C7EFEA77A3F74058A4B13278C90EAB8E0446A1B1718D60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:28.965{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:28.965{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:28.840{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5349E39F16214072FDED09DA771B2F9,SHA256=87B708C653347B17966134A8C2F7C4ACD4D39B10585CE3F0113882A504AD9908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:29.934{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843EFEFFF9BCA7D838F436F48AF26DA5,SHA256=3C8B71AB37148812FD2DF3EBDBBDC442E9F3964789DD03D7A957A9F8E46244B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:27.623{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51721-false10.0.1.12-8000- 23542300x800000000000000086365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:30.011{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6913EB1B8AB3D56CE3C67B2B929C4C03,SHA256=5EDEB61DC1C15C1706719303C1BE65FB51B415D369539431E05B67006A8F8E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:31.027{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2373943CEEBD79F8F445FF0234B836E,SHA256=9A36004BC5E026F01BA37D5F70AC3BF474E3BD67CCC4624AED4D1626D197735A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:31.589{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:31.105{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDE5A5E69098F4A5CCE8FA79E9AB725,SHA256=7C3CC57435E924FBB4F566FEA01E269A7549CE2E6E719F66908383D9DB40A4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:32.121{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76833DB7F22360D52393BEF7E900CC91,SHA256=1430A75B0793260E6FF2434D69D6B8892BADAAC5A7F39FE2E0BA4C844EAC60E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:32.214{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E03D36ACB6DEEC2C34ECE181B0771D9,SHA256=09E5BE092365FA5A32ADA8D8727026267C9B23AB33B14DCBD9B741C508B3C74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:33.308{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100E8EF16A56BCCBD9A9822FA1812B69,SHA256=0B7E649765DB33079AD4A2762FF8C4DF0990B1D48CF9A57E1659FE16DC9639DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:30.877{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:33.215{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CDF833C83B195CD50B949701D08BD6,SHA256=63DF7F6B1E7BD56A25AB43D679FB7561DE43673BED6A9E4A66B6E91470D476BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:34.402{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F289BA675BBF541321F5E249B262D50D,SHA256=7DB5D3E764E2AA43B3E7780FFB5E4435F1255B53B22B68AE4E2112C1CD61C63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:34.309{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4D81A5B86FB9B1A619E3FDD70D0216,SHA256=F05203D01344942C1B0D4B4AF4E434362F903E5F35A38B53B27D6BC34F0F1F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:31.123{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51722-false10.0.1.12-8089- 23542300x800000000000000086373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:35.495{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E2768C4ADF74FB5474092EF426DCDA,SHA256=A3F8E2CAD08465BF3FC60A7BBD457FFECA5061DBAC08F1774DC08B0CAFB87C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:35.480{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F89FFAD85DB4BC93E4EBEAFF9B0FF019,SHA256=5A2563E819E6B6B1B2D285F50EF75A868F00E5D0A29EBFE168DFAA8D41626CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:35.402{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB64EEE3DADF47DF80956793021C0CE,SHA256=21B270A2AE08B94D5106DFAC03F486DECDC5DD686DE531181D24D0D03C84CB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:32.794{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51723-false10.0.1.12-8000- 23542300x800000000000000086374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:36.588{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC263A0A6F3DA2E52D21FF0E38764F20,SHA256=755CB0F9CB4FF8D1C2F73A39A62AB8516D8B0D9EDC6271DB959AF3FEB9C5E299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:36.495{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9F8BC520D006C076CAE45319E7FB4C,SHA256=30E872AC1DF3A0323B3CD316738A32448D102ABD151963E075B4DE499A3447B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:37.681{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C743C6ED1F1A50C93FD469F3F8713F,SHA256=A35A573E6298392D2A2E88FED0410EE37AE119BFD279D38266E24ACF12B1F6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:37.588{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C394BD369E22D260FC818E1958D748,SHA256=FD14448EEF01A3121428BD68B5CE0A12249E70D2E465B75B9750F62F0C4BBDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:38.775{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC2F0BE7E3F79D2A6A66BD46ED7DB12,SHA256=D31654AF28333D8ACA04A684BC53D978A129E3AA053F216763DE811802BA6061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:36.891{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:38.682{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC4805D1DCC58278F512A41C8AA9C18,SHA256=7C0EBBCCD5AA3A389A5BFE351685A043EEDAAD596483EB78D0D1BBCCEFAFE664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:39.869{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37495C007B27D829CA6ED91C23881133,SHA256=9BCC56B51E37A3876F2ECA27A9C75BBABE686C0DA0BB87A032F8674C0173ABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:39.776{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BEA2B952C6E6F9F23DDA1A9AA8F667,SHA256=FE3553C4951FC809BD67EB0C3C626FD8E9F5013C6587D2CDE303FECCFDEF7FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:39.198{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA49A188F0C97A815620C8BBB5AEA772,SHA256=9BD1FF1BE5397F7D337280414BB3BD87FE0BA7C5DED2C596A1392EF25F32FBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:40.963{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0834CC88D84FBE83CD0A1DE6B8CF7924,SHA256=B62D5D0779881BAA388EB48FACF09807FD33EA41A053A53A47899A70A10F0ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:40.870{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C135694556F8333DFA0C2BEFB8F5861F,SHA256=C58DB19DC9499A7044C1346DC1C9829210A97F3168B8FF58DD72288389656E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:40.009{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3D85674262AB3604914D898CD95D2ED2,SHA256=C88ACFA0AADFD5A2A8DC7396083DDB04A74F8C99D0C06D897951548990549E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:41.963{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B807BA10CD9A39236C17DC1D7B3C72,SHA256=C8EA268512F7EF1960408F354AC83E4AF4B462092DDC117CD5F03CBCD1967D35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:38.809{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51724-false10.0.1.12-8000- 23542300x8000000000000000120682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:41.838{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.323{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:42.197{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:42.197{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:42.197{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:42.056{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED809EEC1C5244A4A41995BE3AA3846,SHA256=25839F6EC1C0501491A9BC12A4BC641670AE381AE5EF72C204907D6095A85F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:41.579{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000120720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:43.479{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F9015877D82AE57032727F420F1F1B,SHA256=1CD2330F21D40259ADA5C8B4FE6D337D935A29A443CC5C28B8F3C2245060624F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:43.150{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1461EF1CD45196E5FAE6B14191F8748,SHA256=FDA63C8E74D52D864795903B8B39DB7AD21FBFA0AA0EA0C3D84269DC3A77F9F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:42.001{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:44.604{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0240EB757646D857BAEDC0269B1BF45,SHA256=D2EE9DC1596BCBFA44F7F13882E749A616A295F1938B02A89BBB93AE3D2D6E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:44.244{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C591249245E204FCA9CC4645F8B00BD,SHA256=83AD8DAC106A6FF946D68C6E48FB907FEBB9E26C01DA652C9653767BD971AEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:45.698{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCA1D7A9441D1DC5210BF82A41617D4,SHA256=83F942CF38A46A8C6EEF756DE8BD512D99969CF8A9131EF43053843E19DCC6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:45.338{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379579904528D107192FA4B82F2B6E85,SHA256=1BECAA16EDADB978B048C5B3D83A4D0E889A47432A13F33FB9F2394EA12402DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:46.791{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959DEA4D704C89C60FBAEDED4AC6A0AB,SHA256=90A82C7914D9C6A4CF01888C11F7EF14C0C956B9F9480CC30D87DA85BE7BC761,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:44.605{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51725-false10.0.1.12-8000- 23542300x800000000000000086388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:46.432{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B409677FB221D6ABD1DCF2A7EDD112,SHA256=1987A3A2DF41B31A691EC995512D5AA77E702F121A3CF14B126F316E2B8D9D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:47.885{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC6B3255C84AA4FCE1D65DE72BE13FC,SHA256=17F839034839DA5F046FCE8EFEAFE462365DB71ED15C0B8CA3DFA1740C6529FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:47.525{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9544D8391D4993F9DF3E73BD2724ECC6,SHA256=08D7E95113C7CE69EB883DEAE91BA34B31956440713FB90E385D4D408E331B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:48.979{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE9CA0F61BD6BA49B13235111E65F33,SHA256=5EA76BE756730688847D07485934A0307A296DCFCC1A1E0C93BF3C24B74121BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:48.619{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2DDEF34860C70708E1D60D0A169166,SHA256=FB56BCF5B2EDFC0A91B5A4A7D0B4D4BD97383AC4FA3F9E8AD4649CFF6CC9FEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:49.713{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6793615565D744673F589F5D354FC8D,SHA256=383A950E8166DCE79C54A4DBFEBB57F81B551715211ABC0E94F6DD2884750022,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:47.891{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:50.806{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CD66BFDB75CE4E1979D6D55646FE19,SHA256=AA0C57D7EBEFB004CD2DDAB679048FF0DA4FD11D2FB92F0CC8235A0D658DF666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:50.073{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51C4B07A171F195DDD19A567DB7BBE7,SHA256=B4B9751D46ED37A5E0EF71C397CA36AC7184FF692C311651F190AF4CBF943863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:51.900{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47E6DBCA156C27532F7BB5EE8E7F78C,SHA256=9C57CCB899EBF12C3175ACE98072630ACDA070F3A38BC4B2B0933A1931091F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:51.166{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4F68A2386C0786A1C25BA451EA2E45,SHA256=9AB66673A426691725A21BAFF3D7BC2E7389E4A115CDFDD7F84BBFD87F68AC6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50CC-623C-4405-000000004302}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-50CC-623C-4405-000000004302}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.931{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50CC-623C-4405-000000004302}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.932{9531C931-50CC-623C-4405-000000004302}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:52.260{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19133DE2779523957DD9E6FA4623A2C2,SHA256=5EF9F17E232C980358D30075936427678270981837BD2E19C3FA63E2CAE3AB46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:50.605{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51726-false10.0.1.12-8000- 10341000x800000000000000086407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50CC-623C-4305-000000004302}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-50CC-623C-4305-000000004302}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.306{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50CC-623C-4305-000000004302}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:52.307{9531C931-50CC-623C-4305-000000004302}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:53.354{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F657A23C76533F1464B4F4673E7777CD,SHA256=560016CE8CA06D4DAE3F9D653C5E491D2D85E59FF9704004AB258F75D6139B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:53.449{9531C931-50CC-623C-4405-000000004302}10683780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:53.449{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01ED1D35572717695810A7BE92DB891E,SHA256=5AA8EF75437A229178D67837A5ED97430307E48A4685BCFF89632DEB4D728E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:53.010{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F7E495844CEFC0D23954DEFB9169F8,SHA256=4D56DBF3D50F14D17669876B4226DEA4D08E6305C5E890020CF865A91B12C77D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:52.969{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000120736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:54.604{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:54.604{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:54.604{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:54.448{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C52B4660DA9097AB668A02047D582A4,SHA256=A04DCB4347E299911DF05D016B059005A60D8EE93A5760460F54D7BE644D5E61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50CE-623C-4505-000000004302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-50CE-623C-4505-000000004302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.978{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50CE-623C-4505-000000004302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:54.979{9531C931-50CE-623C-4505-000000004302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:53.994{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18857999F2544662889A568E767EB164,SHA256=27A1884292420DAD172A317A3A9A9681DA2B87D9F16EB3BBFF563815EEB50045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:55.541{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCBF501CF4CA39A7F14C4C71B9B010E,SHA256=6825B362EA09479AD904768A8538C1313CD3677594E41A23F5B04A727AEDAA41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50CF-623C-4605-000000004302}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-50CF-623C-4605-000000004302}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.947{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50CF-623C-4605-000000004302}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.948{9531C931-50CF-623C-4605-000000004302}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.823{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A5E00E7EBB2810EAE0D99EC39113484B,SHA256=EEFC070AAD9F59A677449000345733E7D83C0EBF71DAE2A27A3529A6BBEFEE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.103{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064895A3D0DDD7EBB3FB7A8334EE10B2,SHA256=E5CD919F6D8A4BFF65ABDEEB8CFE71BB567283E3A7130BB5292843871AD02AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:56.640{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C8925A69402AE6BA8ECEC28727EE80,SHA256=E5D3AA1D348472833172F481F9566DA6C63FC17D7827780453BBB4E86DC17044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.821{9531C931-50D0-623C-4705-000000004302}7641244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50D0-623C-4705-000000004302}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-50D0-623C-4705-000000004302}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.565{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50D0-623C-4705-000000004302}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.566{9531C931-50D0-623C-4705-000000004302}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000086455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.440{9531C931-50CF-623C-4605-000000004302}3996636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:56.307{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A69BD097C4FDC38C83B356288916F7,SHA256=5A865E4C578EDA7E0B3FB04CE8457369333B79B600C890A4B9FF20DD42119E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:57.733{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1555B6E668C8B5CD743E1BADCA96E1A,SHA256=15514CF9F737FEC3A1514B967F236BC99CB70C8DB617C7E085ED41D64C2196BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:55.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51727-false10.0.1.12-8000- 23542300x800000000000000086485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.517{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1456A96A63016ED9F7B2E9407DC5B6F,SHA256=0A4D01A193B7F9BF05C73FCAADF842F6DDF721DB11E0911148B2915883FA114D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.346{9531C931-50D1-623C-4805-000000004302}40882548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.144{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-167MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50D1-623C-4805-000000004302}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-50D1-623C-4805-000000004302}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.056{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50D1-623C-4805-000000004302}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:57.057{9531C931-50D1-623C-4805-000000004302}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:58.407{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D8BDDCCA6AB3723028196DC16BED89,SHA256=3117DE7EE96DF9594E224350F34A093675FCB9D260571BBEC733E6C1E21551B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:58.827{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90EB2DCE207C9844461D58684FE6A38,SHA256=EF21BE912A6F8123808FD524B89C3426C9672780D8F18D626FEC2F6DB2D86A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:58.143{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:59.921{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A621F293ACAA15F9D032B14F8F13D6,SHA256=ACD59634B37C9D48EC56AE9C3D8CED1BCEDC9B6FCA8080B44EDEFB5FF13019E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC16309022FBD0989B13C36181572B4,SHA256=1BC5D3FDC3448248CF55F698A7AC747B2C8D09568D4468E83B7A6B3FCB859695,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-50D3-623C-4905-000000004302}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-50D3-623C-4905-000000004302}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-50D3-623C-4905-000000004302}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:06:59.331{9531C931-50D3-623C-4905-000000004302}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:00.612{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44EA85CDB66F35EAF33E1148292E22E,SHA256=F3384AA0B59233D0E222CACB04DA24DAE0D99C047936444D530DB92AFC1E40DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:00.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D9CD0C74DC9B0A87E8C40DEC3E46CD,SHA256=6F507EE02AD98D4EF33153AC3518468BB2FF980A360893D4F0300804F433551D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:01.706{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388B88F6AACECA5D6BC6036F2AF61940,SHA256=903357598A675518EE6815A3962F41189092BCAF03FF319443EE05F950B8B0FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:06:58.786{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:01.015{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E1D28B5BCFDF17126F8F05470E3D80,SHA256=C45CD4E544BA41821B97826FB83C38C014E4B765CD76874E4C11CF2CFBE9CF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:02.799{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BDB72E6B73332D16A072AE60CBFCDF,SHA256=B02794C28DA3492D3AF80D590D61E38E46AA96D439244989525D5A82D812D8E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50D6-623C-DE05-000000004202}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-50D6-623C-DE05-000000004202}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50D6-623C-DE05-000000004202}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.593{5F3DCEF0-50D6-623C-DE05-000000004202}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:02.108{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8000B9A3A641A779482AFE80EE2A5CC4,SHA256=9CC3236664C377A122C973AFCD2FF8935D3611A5004CCADC4A5441135F870E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:03.893{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E6E816BEC7B0615ADEB6DBA0A64C22,SHA256=5B51909C3ED6CDE720A6854413358025841468B4CB5DD6C385FC94CC42EEB8F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50D7-623C-E005-000000004202}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-50D7-623C-E005-000000004202}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.968{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50D7-623C-E005-000000004202}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.969{5F3DCEF0-50D7-623C-E005-000000004202}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.686{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1366E72B546FA13064BF460999350A94,SHA256=8A771A7D4F50EB041DD4ABBB3E3AF2361EC8DC6495FDF4E63FD095DEE103A965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50D7-623C-DF05-000000004202}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-50D7-623C-DF05-000000004202}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.468{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50D7-623C-DF05-000000004202}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.469{5F3DCEF0-50D7-623C-DF05-000000004202}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.202{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2EF53D48CB328DD6C837243B5A802E,SHA256=B9AA5D4F4843BF365B1A719DDB2EC602A98104792A28C9AA346E4E1FCE5BC91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:04.987{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26BAC758836A5CD617E92ABE4531C45,SHA256=A547C8B4D7F1B6EC510F2B7851D2B2B34CD2588603BE1B1FA17E7CAB3990E902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:04.296{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6450F78A214DD90B24FE34238F6BAAD6,SHA256=C12831FB81B522C4B820B3965A42609CFDE363D6066DFC6CC2F331D63831BDED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:01.599{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51728-false10.0.1.12-8000- 10341000x8000000000000000120772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:04.140{5F3DCEF0-50D7-623C-E005-000000004202}53042408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:05.749{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F04A7C1EFC424DB9A2A1E08DEFE27F7,SHA256=E13556B2C27D031E5EBB337742779505D69ED24A294022EDCB7613A65A143CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:05.390{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918AA9CC93BE1171BE266DFB0B14B43D,SHA256=02DC487C62465DB5032C7D01E96186C80ECFDF2BAB0573A5F7E784814C574EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:06.483{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D743D96BA451A5881BE3C2CD30AAFDD,SHA256=7C8C6FB34E6F33B080DA3B28F133216C6E5D13FB771B50D95642B3F7B6FECB3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:06.081{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F80E79ADA5E59510EFB9C53CA6A30F9,SHA256=4CD65B2F6F2EEDEF42233E2EE67B9D795899897DFC0CC2C82E2BF24312045872,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:03.915{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.577{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA4029F25A504F8E4F9BB527EB2442D,SHA256=070804F47C075C2536A92B14DA94B13A8D7F221FC5CD00048E163A1FDCFE55D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:07.174{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFADADA25918959954A7CF0D9753698,SHA256=F461AA695C0A6DDA79F73C5A866ED0A41D4C48231BD29F480E65C1C3C2C96A22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.249{5F3DCEF0-50DB-623C-E105-000000004202}48365532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50DB-623C-E105-000000004202}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-50DB-623C-E105-000000004202}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.077{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50DB-623C-E105-000000004202}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:07.078{5F3DCEF0-50DB-623C-E105-000000004202}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50DC-623C-E305-000000004202}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-50DC-623C-E305-000000004202}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50DC-623C-E305-000000004202}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.890{5F3DCEF0-50DC-623C-E305-000000004202}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.671{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F0DDD892BCFD5FDB5D4C867E8667B0,SHA256=4F80C444DE7F291117193C504B78859F216D1A5A2F29B52A5C516FB45B99AE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:08.269{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73A881BFAD783A2EC27FAE2CE206672,SHA256=475AEE2373017A53220D96918C3F63ECE71421B85225E02842EC152E1ECE2D4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.421{5F3DCEF0-50DC-623C-E205-000000004202}17201064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:05.911{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63380-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:05.911{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63380-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000120795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50DC-623C-E205-000000004202}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-50DC-623C-E205-000000004202}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50DC-623C-E205-000000004202}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:08.218{5F3DCEF0-50DC-623C-E205-000000004202}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.767{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F377B348DE7961CD00C35761683E990,SHA256=36AFCF4D4010D189245BCC0D1E457092B5081337AC390369C35DD684B3D689F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.704{5F3DCEF0-50DD-623C-E405-000000004202}71644864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:09.362{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602A3003980721AC0A83ED89EACF0956,SHA256=6C7C5FA5564E9A5F651ED91582BE39A0E3208D9F7EB3767BBD8631C48636A1FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:06.692{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51729-false10.0.1.12-8000- 10341000x8000000000000000120816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-50DD-623C-E405-000000004202}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-50DD-623C-E405-000000004202}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.561{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-50DD-623C-E405-000000004202}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.562{5F3DCEF0-50DD-623C-E405-000000004202}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.280{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8459EB1D6CE112133358D0E349DD1ACB,SHA256=D7CE2B6A63F7B4FD4E68E0F424CE420657C0075FDAFE8B706E115EAFACE9399B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:10.744{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8F7DFA1D4418840782D4AF43D714AC,SHA256=C90B17A549DD00AC7772149650533501E13DAF0E2F5490CD6AAB64015A938FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:10.346{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E7D9F363B3C6C4BF21DE216322C55D,SHA256=93660F8499030D1A475DC577FCF8A97A0541A1971EDA9A672F27C6F12C60606A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:10.207{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-167MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:11.839{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2439D01EE2762F5963C4C05A9903DC48,SHA256=128515B28729BA06487D9B3A2A9E2C2B5ECA21C94B1DFB4C5C6C561C8A2865C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:11.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF7642535427117FCB681826423FDF8,SHA256=2FEA9C83B15CE0B0B7B48234BC9EF45A49A4F5F94764389B0AB22EF349A008EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:09.913{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:11.214{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:12.933{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA076C5AF617B3C35F3E4352C4180E79,SHA256=9565AA4437B16B39D543C8FBD144103F05927594A5BC077213CF06C5C04DAB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:12.534{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDEF7AE7E591749B7851DF89FDD3F49,SHA256=17B9B546DC04C15C312A764DECB1E434DF410231ED5D291026B71C1D48FE38F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:13.628{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B482E292C3B14D1823BCBD55DFC002EF,SHA256=674E86C930C4DF73527E9C463D4AB0C9CFF5D70F33317660AAA1C5C193ED89C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:14.721{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98F9DE76A05646E8F20E390FCB12375,SHA256=4B0D470B0A43435B998E0E69D15D89B21B9B4F54EDC4F4F73251B24727785AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:14.027{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F538649280239227236AFFFA0ED26DA,SHA256=1CF5DE7F2804FBD5F1D2C1B12744420174DB0E24853CDE9B5242402860657166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:15.815{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96353DE3B341877DC12C13C3595DC079,SHA256=833DFFCFF4821A896AE186FB98D1F9C6099764C5F9FF0A33749BD32C88F9EBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:15.121{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76D6B9195A45F2E331E36FAB990028C,SHA256=434E61475D9D54AC867E1FF6A9C82DB898869C7910F11E7B1BD3D0E4FAEDCB19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:12.661{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51730-false10.0.1.12-8000- 23542300x800000000000000086522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:16.905{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFDF41FD3293DF65ED1C2D6B8E6AA9E,SHA256=AF0F0938E6E0D5417C7161E99192C0E67857C356EBCEAE669BCA817CE0E09A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:14.973{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:16.215{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D14BBB4D5C438291E944EAC364BA8A6,SHA256=CCB1C6A440266CE76EEACCEE10BF9D4192549BDB99CEF9EC3F696E6471C3E0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:17.311{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B665E30BE857B30C9A4FB8983C061AA,SHA256=50F7D4E7F014A97B5784B642E90EE1C1B592E073EDC13D18C5EEAF8754761C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:18.405{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0CDECEC2FCFC709F73A9559D5599E3,SHA256=A84893AF431510171F7D9CF987558370EDC44A72037DEEBF97DC6D10E928A3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:17.998{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9D9537AA359CAC51AB9F50CD300ACC,SHA256=34BE727582A89C34C5CBCF26ECF25B52B1E68DEE57E972CCC76A04702BD08D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:19.499{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A194354D9A26E5C3EE9531F32DE578B8,SHA256=AD686F33407ADD0498C225454784FBFB5172060DD0C7EEE8937DD0B76DE7285C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:17.688{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51731-false10.0.1.12-8000- 23542300x800000000000000086524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:19.092{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DC25640A77333FFD9B9AA6B2666A0C,SHA256=6195D6C60EDC65268A95506E526D3BAB836D5C67AB660A79B6D12B9FF8B9FB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:20.593{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6784344EBBEC10AE13970C542EF6F7F,SHA256=01BC0695A689B96C7E6B163450517023774BF42481D4904761D3823556ACF501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:20.186{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94664A659315C0314551625B557F3642,SHA256=EEB80AB522151AECF3EE8A0102A1927E71DE8715546CF0B70A184314E0F19C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:21.702{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B79F593B796486C9ECD5A1F2FDB1142,SHA256=C28A1DBBF633E1C834A0FE2196D3AA9B95F3DF091406C6AA88561DAF0D81D526,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:20.004{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000086527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:21.280{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C603314B3770AB315D2BACC027FEBFE,SHA256=862A32C410A14176E4618B102506D03836081C7B52C7DE505D7985A30F51D205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:22.686{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18255C5B385E6F45856781B70F05E2C,SHA256=63D109BB1A5FAF927296956262BC5444A030A2396B86F85BEB3E734C7970C562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:22.373{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665CF4BA9B52B941E4FD5E2678DB1D4D,SHA256=C75314877E6CED63B72A32AA8ABA8F410FBC1EE3E7873DB3B619B009082F30DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:23.780{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF42CAAEB8041AD64E42C297322EBA5A,SHA256=E9950546BABBB82CE5415B96BD924A122113BF9251E41B2EB1A4F513FF993AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:23.467{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572F812DD6C13B22BC85356D1541BCC4,SHA256=4AE62A25D80F82B4D5E67D8B0D5CBA78FD21D77B9A038B11E4AA41A7000A74B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:24.874{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BD4980149C56DA9AA03AD4372701A1,SHA256=AEEBAB366988CA3177F75A4064FC7BD4C4F015AC309571225ACDB2DE223C99C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:24.561{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF1AC7405A009B8FAEE3D8EE167C9D8,SHA256=DA1ED79444736677E7AB67608F0E9A2EBBBAE32F55D9AF26FFEF4AC1EA9AD670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:25.968{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389A8E4CE2ED55BADC3F5B620FFC1675,SHA256=714BEC76EA5978C543BC7DACF8B10E21AB26405F7E6048A3D3E87B9E8CB5AA3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:22.813{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51732-false10.0.1.12-8000- 23542300x800000000000000086532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:25.655{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE275185F41D2E25D6039E7111C635,SHA256=CD8FBD63BEC02C3F38045CED0FFECA8CBD1A84EB2555A783243BF37D9B8FC4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:25.030{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8239F11F76A5C13CAF885564D4F5342E,SHA256=6735E54B48F622181A8CEBEC279CF2CE52BA65F3E1585E356503E8C779FD0B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:26.748{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D034DB47C6227342C34E40BDD5AAA1,SHA256=9ED1BEF316AA844880E880AD5869A742C105286CEA0E71B931BEADCFAC2331FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:27.842{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F7DC1314495A06F117C46C0FA22899,SHA256=FE9D9C5BE1309798A7DC46F0A42C0B326D9031FEF7DBB24CAC6C0F4BCB6929EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:25.848{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:27.061{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB6C174C6CA5550206A8BC0284026C,SHA256=726FB1D3EDFD5012606095CAF429D861B5374BBC992A22CB5628FDB9421CA785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:28.936{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC03A2E9111B6B24BB16EDB7BCA4BDF,SHA256=C1A26BA41A5C52202A884852DDDDA1336033EEF7E3112F4161162E78EFFC7BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:28.155{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD93660779E029222E87AA445E2BC09,SHA256=0CF52DEA4DA33D7878E82B2E52191F17BC98485A1D5EBE2BD88AC37F3EF9C83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:29.249{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099904829AE0B3554AA2BFD164945597,SHA256=123FB5D33E7FDD21F5E9836FD5C3FC00A08CC7892AE9C984BD8877D933432BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:30.343{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF2695B00F879DC59CC0FEB159C0B48,SHA256=C10BAD2331573027E2DD90D069423DA4EF6970E7838220409D6C66392C4B8F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:28.782{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51733-false10.0.1.12-8000- 23542300x800000000000000086537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:30.030{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D63866D8FE86E2DA88ECE6A7C20A0EA,SHA256=F591E453DEADB65EA498A725E9F8DD5DF43BA7C84787B708727474EBDAFB0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:31.436{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D132BAD6A81E911196BA2A1112E3DA,SHA256=491A408E7570741BB1EA9A378BDC1C9F1907FD04E9C0C0ECD554FE94E4101307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:31.608{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:31.123{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23294434712CF21F09838718BBE0F42D,SHA256=FEA344086513915F12727BD53F0122E8C804C1266C5252170484573FB3BD9B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:30.957{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:32.530{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FBB39014D416AACA40BDF45BEA334C,SHA256=130202CAE6E8EBC65D291CAE73BA1E38B280854801C28CB2C6FB4DB4E8F7BB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:32.217{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82193E7B542828832710AEE606888436,SHA256=349D0118A9935980B56D09A9F54598717B40586B68E384FF540CF5CF8E945F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:33.624{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95925EBA05BBD3D65C424FF20E7F85D6,SHA256=3A81211D9B4C2CC8D641FF6FE792DDA93C7BD2CE2092685E4E77364BC8FDF992,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:31.141{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51734-false10.0.1.12-8089- 23542300x800000000000000086542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:33.311{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7907B21C5D9866164D0C84CEF3E52A82,SHA256=D88D9E64C4CFC2CF07A8D49E371FBC2B1CDB833D22F23B643E8CB3157BFC3357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:34.718{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D19714149A49283D95DA16B4E08651,SHA256=4043E9FF5DA159B1BA3DE22FCC50E657C4D8AC5253C0991DA314F523ED23F36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:34.405{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7547B47CA3C94A28DDEE8D0EEBF6D0,SHA256=EB8879BCCDDA19A078330CC945B60776E3C7533C516F383CBB18402C6D7C58F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:35.983{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4184EC5620D364C3B9E494D4E2B3957B,SHA256=7838D2F82710DF8C3A635979369539A928D4ACD437C9ADB17D4AC0318EC47D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:35.811{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEE8339DAE55FE52B3B5DCB418C6A90,SHA256=44890103C121C5FA4F592CF4FBCA23F6A7115964F7C34BFC5A88DFF49635D667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:35.498{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9613A50CBDAEB1CDF8DB2A933DDF9A21,SHA256=86E6458C87F66A3AE6DFE702019A07498A6B1E8CEA65CF8F4083A4919F749F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:36.903{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C423949CBF557A1AC497B32160FACAA4,SHA256=547E779BA85208BE12F4EC42BA445D98D65989A5CB21C98DA2BD295AF5AF3277,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:34.750{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51735-false10.0.1.12-8000- 23542300x800000000000000086546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:36.589{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841EE2C3AEBE6439E26F08402A3A0FF1,SHA256=C9BCB9598C2ADD77A6DD305F360583152584C825C4977971BF3377AAABFA4CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:37.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D0602C259379692E652C89C8E6D372,SHA256=FC0E6B79A70E7B741FBB9D61476A8E56BA089FB81A4CFF678B62A9FD24215365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:37.683{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F151B1AB3063FE34FBE8007726B6A827,SHA256=E79A60D5056BA0EA36241450C69BD5856CB923EB3187C5AE7CC58A19683C942E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:38.776{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C84222E2116538FF97B6FE51152857,SHA256=785A3EF11E0CB701E54EB443D31EE8DE518034C0B4D37560222518A8946BA4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:39.870{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1CEBBA33B6D4EEE8D1AC3F269E9E78,SHA256=4329331C84A10C18D2C479C31CC75840DD50BD296995B567B3735F316CBA9F9A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000120865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000120864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009f1d75) 13241300x8000000000000000120863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f66-0xfdcf8a96) 13241300x8000000000000000120862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6f-0x5f93f296) 13241300x8000000000000000120861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f77-0xc1585a96) 13241300x8000000000000000120860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000120859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009f1d75) 13241300x8000000000000000120858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f66-0xfdcf8a96) 13241300x8000000000000000120857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6f-0x5f93f296) 13241300x8000000000000000120856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:07:39.293{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f77-0xc1585a96) 23542300x8000000000000000120855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:39.200{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F75D5C70D790BC902E5AB472012CC319,SHA256=B886D0CC43AA02786E1068FEE4DCD51CD1B0B58B9FBE344AAC1B0C661512C007,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:36.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:39.090{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E4D8999FBA865CACBC9887DD6BD7D9,SHA256=793154AF3CACBE43131E9988B0248FA7CDE3E2195A2D578B441A8B61AEF0D972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:40.964{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1ACC7C3C61F02AF05B896CE98AB54FA,SHA256=F60C95B1B128FBD25D00730C5F4243F417A26737DA7805328AC935D2D6158DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:40.184{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3C92EC278B0A359849693C9E8AA95,SHA256=BB1AF43CCE911C9FD4DE056DB4BBC73DF238DF75321BFC88AA725CCDE527806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:40.011{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F85FE7720967E35423564F771BB0509D,SHA256=856E27F7B38214262306D5D48F6A9A0B31459572B0D4D7471CD0788BED22203C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:41.856{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:41.278{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0997587E2D147D500FDA3072CFABD819,SHA256=4B00995C20CABBAC2918CA1D591D583C6D45697C3F19C9CEF10A4C3E95FA8C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:42.372{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CA2D7206AD2C35FCEE4C91E1F1B463,SHA256=CC0194CB5D8CB28D2F19E34F035E944C78041936689FA858ECD4E744CD5D3C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:40.592{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51736-false10.0.1.12-8000- 23542300x800000000000000086553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:42.058{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473771CA64FA068DE808100344148CC6,SHA256=6A1FB7B78FBE5F96C7BEAA76A43833F6BC445EEC35699B9B784724EE78AAE319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:43.465{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEF51F008C56F036347AB808DDE6F95,SHA256=3EFD2855537BD5221C08068E6C9412E916B96398FCE6F9FC4409AD33D15575E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:43.151{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C9592ED61FC9E441CDA9C9A08E7507,SHA256=8FDA1D0EE2CA7A208C828FEF5D9823B12866A03D45BC2C9EA7839D146CD838EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:44.559{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1913D2306D79B53B28EB1C4A029CE0,SHA256=97DE09F9E90D729A729D418CAC89EB41F80EA093D8B5C5CC1D9F8FD06C82D0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:44.245{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C445F940F277FA81FA6B47838E096A9,SHA256=623F0C619F942E40BB55E63DD5769625513EC3897CFFA15229E7734BEA6D2371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:41.939{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000120871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:41.595{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000120874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:45.653{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF9C458EA73D1B3942CBB17DA525029,SHA256=0179E54524D51D2B3C92B9DECDC88B892137AD6E3FF9A6503D45548D1DFF1F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:45.339{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87282D8EBF7C2C40FFE99546F9FA7E9,SHA256=67B8708E5E9F42DCC78C3A313A84B990275160B16A99D184E8E9FF5EED33B37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:46.747{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F21D2A252CB4C784C2842A6A73B7961,SHA256=298944F891B6829C2C0520F5FB5AE2BA535385294868B7E379E85DA2D828D1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:46.433{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4432A311B74A2AAD52881154C88424C,SHA256=9D8408CB24A26CAE7034BD741F6CFCEC759F67F818B7A32C7589F6D934E18908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:47.840{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD33F3419BA30F83E3CCFE17DCDEA859,SHA256=B61CF540EFDF2123F8BC189356686A8DD5E1DC87D89C3B9238342F55CB536DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:47.526{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE43AE59E91306A7193F871213749BAD,SHA256=B088B949C608B1869D898739F2429EB9CD55505E896F836E7D7BDF920C24B39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:48.934{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAD7434228D6BFDFAF9B949158065E3,SHA256=AC489B9E66053607ACB52468A6798E65A89A998AD144408530AB6877D251C35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:46.591{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51737-false10.0.1.12-8000- 23542300x800000000000000086560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:48.621{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A97ECD29467727A9142171DC8F5F8E,SHA256=060A968A0CEB38452E99E566BAD2A110AE0A684F4DB4C4FBBE2395DF02AF4C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:49.714{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A259F5C4614D7A28919C8B6B6BB075FB,SHA256=D8DF9A85E08C769F647108FAF273EB6B784D121544FD81D5DCA643A45F6B45DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:50.808{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E591211085C415D51FCACFD6194DE08,SHA256=85983072547117459677C84EE921F9A26A74A5E3C68EACCDBD006FCA9F058750,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:47.924{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:50.028{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479720A546B8CB7763223E4FF4DF05ED,SHA256=02EDE1B687398EC6E3435B8E823848D63CD1BB30587E15AC3C7725B9C3392A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:51.901{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE685B1793F8FCCFEE311DB1D7DF7DF,SHA256=958F8D6386119A83E590D8B2F74D369B5BA2E3C80E5C077D7682398A7959EC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:51.122{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8BA6E6D433DABC7C7A60CF7921A74F,SHA256=CC18F53B955CAEADDB926F7137E776A6033249E86D947EF4CBD8BAA8FD2E2752,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.981{9531C931-5108-623C-4B05-000000004302}18922928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:52.215{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B8E9A384B816EFB6125653C769B246,SHA256=91A48B3A3EE216A882F4BE3896F0779676E871D6AF0322F58932A2B88F97BFDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5108-623C-4B05-000000004302}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5108-623C-4B05-000000004302}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.651{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5108-623C-4B05-000000004302}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.653{9531C931-5108-623C-4B05-000000004302}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000086577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5108-623C-4A05-000000004302}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5108-623C-4A05-000000004302}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.151{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5108-623C-4A05-000000004302}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.152{9531C931-5108-623C-4A05-000000004302}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:53.309{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750DB074A303E99D0429B85510EDD46E,SHA256=F5169B68CA5B1F550F4A21E96DA681CF11CCC0E39F635A63BD554675786FF006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:53.370{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A09A688CE6EDC4CBBC592ACC5811466,SHA256=9E875C9083FE4BA28BBD72A0B59FE582AD185354ECFF74D89C8665C8275C0C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:53.292{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916F0E22F356F525495F0A847A911937,SHA256=48C7F17CB91D449008CB129061C795F898E292AC61F6D8ACC7F65F8A804B23F7,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000086595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.996{9531C931-510A-623C-4C05-000000004302}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.120{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77448F19B2D3220D2D75E608AA46EC38,SHA256=B8F38407776A4E9DF5B8FA24F0F0C8C5446AFAD8F1DD88EF0325D4FA808FA1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:54.403{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6273B0672C4D32B4AC6FE819B63A692B,SHA256=74968DC61A4D5F2AD6D8AABBE49DB1F98074E9DC68AE8798ED2CAFB2575CEB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:55.497{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDA91430D12E40E45473F94948E1404,SHA256=398AC262382AEE345076896330EF742C97DCE2E75C6CE5FFB903FA86FE12C8CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-510B-623C-4D05-000000004302}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-510B-623C-4D05-000000004302}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.886{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-510B-623C-4D05-000000004302}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.888{9531C931-510B-623C-4D05-000000004302}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.245{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=105B80AE141F762552EF2361AD08659B,SHA256=0133EA02ABDBDA6C7E1D23E19C967B6C85DB3FA01CEB2766663ACA825A77B377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:55.214{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB60E504B42026DFD876E11EDE605C1,SHA256=AB51362A5A49923897E481F6FA76902B2B5E507D154D0012622FC9AEB653EDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:52.609{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51738-false10.0.1.12-8000- 10341000x800000000000000086607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-510A-623C-4C05-000000004302}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-510A-623C-4C05-000000004302}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:54.995{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-510A-623C-4C05-000000004302}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:56.589{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5638CD7D367BCEE08289512CD53068F1,SHA256=FAF45705916D7C8E4F25C1B9FC75000F0CF3FFB24ADB31B08215303CA4A73429,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:53.814{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000086652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-510C-623C-4F05-000000004302}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-510C-623C-4F05-000000004302}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.885{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-510C-623C-4F05-000000004302}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.886{9531C931-510C-623C-4F05-000000004302}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000086639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.651{9531C931-510C-623C-4E05-000000004302}20642400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-510C-623C-4E05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-510C-623C-4E05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-510C-623C-4E05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.385{9531C931-510C-623C-4E05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.214{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7AC5F2E636F441D1C3559F28A0CA9,SHA256=A509A8F0B8E9235B07F5833271173F49EDFC06494AAAFA62D9D2DDBED8A193E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:56.136{9531C931-510B-623C-4D05-000000004302}39442500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:57.573{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65154ECCDED243998146DB54666F55F0,SHA256=48759A451D2F86A3039691F17F54D1837437308EA4789D4571EB5ED2396C1646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:57.526{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C183BF4F3A84AD18C020C31F71DEF264,SHA256=F1E3BFA65F8CCF60F087DE3EB66A0224A96149A4FC52BB857C2FEDC9EC39E495,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:57.216{9531C931-510C-623C-4F05-000000004302}8523220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:58.671{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-168MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:58.324{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A61368754CEFBE6A9DAE965DF8A7DBE,SHA256=023CE9AEBCD4583FCE699B329EF244DC5B620F020B033AE6732C4DE3C8C311BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:58.667{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20237B1B0605994C94B00E42480E5C2,SHA256=BB4A8C1F9896C8C05F1BC5A1F1068036029AFABB1C461063E8C8EAF2B85C4904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:59.761{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE24832DE07EE1723C8B305E15CAB37,SHA256=4D7A2D82B58FF542A03BD7EB6175F96AABF6A7561BAB33B8C0B9C1F6215D3991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.671{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.435{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6B140631E4748D463ED8B618F1804A,SHA256=330BA4FD0832C94A2E3105FEA1501B19C5D839402F7B7D534F4BBA1FC2959571,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-510F-623C-5005-000000004302}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-510F-623C-5005-000000004302}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.326{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-510F-623C-5005-000000004302}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:59.327{9531C931-510F-623C-5005-000000004302}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:00.855{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA647D9507B516FC8A33930477CBF4E,SHA256=24A8020DE5C074D473A038C571160B01432FFE36BE190D8E1B2417E71C64FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:00.436{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059C98973BF02AAF546C7F27E3985D,SHA256=D6A3D7C58B893B19AD4E504B980594624ADA0DB705F60237BE1595D26393C9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:00.405{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1AC318DA422B7ABF22F67CCBBBEED9,SHA256=F71D8EC91624BCFAB3F2FE216D6599128729E4C1D4859CAD188997F0CE939C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:07:58.828{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:01.948{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE8343974E565DE52CF91C7DE2C732E,SHA256=6BEB396D4AB503ECB4D87BE204C784B969868DFCDD5B95076F3B4D354B26B6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:01.421{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9460625BA546ACC3894965B087AC6B3,SHA256=97510944AC915B188F7A4C4283522452DE4E9381C5E801A3BEAAC6FC9A024FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:07:58.609{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51739-false10.0.1.12-8000- 23542300x800000000000000086676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:02.530{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7605EB56BF9E9FB23A610F5A2E10D9DD,SHA256=95FD9F031E698C12FF4D5A8E07B3BE45462BCB08836EBA29FB59A27349952E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5112-623C-E505-000000004202}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-5112-623C-E505-000000004202}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5112-623C-E505-000000004202}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:02.605{5F3DCEF0-5112-623C-E505-000000004202}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:03.624{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E191CB7ECE9FAE38FDE9F0B2D4A62F8D,SHA256=C473DD75D367CCD97001F8714B428271DBD73E4A9EDD3BAAA499122F7C44D087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.761{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=901101075963158E22DE5AE510CDBCE0,SHA256=9944DD0506D0E453A7636B08597EEC6452DA924BAEA2DBE096C6717164AC87FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5113-623C-E605-000000004202}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5113-623C-E605-000000004202}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5113-623C-E605-000000004202}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.480{5F3DCEF0-5113-623C-E605-000000004202}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.042{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7955F41EF5F2696DD44BC6CFEE7C9E5,SHA256=94040E5BF89D121CBA975FB5562D045B2F9DDDC5F0DF75DC3FB6A21ECC5A1151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:04.717{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C66AA69AB6269D7CE92DB3BD69AC510,SHA256=52787105AA7343FDC6F1B7BDC95B7AA0514ACE19B7B2B5B946732DA4C6D5463C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.308{5F3DCEF0-5114-623C-E705-000000004202}32643740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5114-623C-E705-000000004202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5114-623C-E705-000000004202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5114-623C-E705-000000004202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.152{5F3DCEF0-5114-623C-E705-000000004202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:04.136{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA78BFE9397698D4069DD81F594B2C7,SHA256=1C5AED5DCB14AF511D831765A682B80B552B8ED3B63C23FB03EA7D8932E25879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:05.811{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA5409E232B7694356A9082F09D53A6,SHA256=8A6329D6E5E35801CC22A913911CFE4BF698A9578AB30E453276CDEB0C15CF89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:03.828{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:05.261{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E846C14BAC649951586E701B6A467630,SHA256=68F23B641FFA6A885FB170F7B600ECC4D79EB5E9886FDC095C603F22421A16B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:05.230{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267FD67E603693A98BFAC7E14B61ECEC,SHA256=594A7DCCAC8F6C05146BFB3269B8B2E25B74E8DB43FD6A1804170502B0CE4B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:06.905{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8424509C61DC73580D7C096E687FFF9F,SHA256=97D9144FB80A2148F3A559CF4928801411F1E83CBAE1BD10CA8217B78B9FA74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:06.323{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D181B36AD036D0FBC749FDF0A14250E,SHA256=3128DD871836F1746328F0AA05D0B3B514D92A3B79CB03BD332D38536153EDF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:03.735{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51740-false10.0.1.12-8000- 354300x8000000000000000120936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:05.922{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63393-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000120935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:05.922{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63393-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000120934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.417{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E81DCF50484BAA363746F12A2FD0172,SHA256=0872E2EB078D6B3167DF5C7778C2871F0A49AC2AC97C7C90911B5917C56C678D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.230{5F3DCEF0-5117-623C-E805-000000004202}63887036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5117-623C-E805-000000004202}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5117-623C-E805-000000004202}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.073{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5117-623C-E805-000000004202}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:07.074{5F3DCEF0-5117-623C-E805-000000004202}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5118-623C-EA05-000000004202}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5118-623C-EA05-000000004202}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.761{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5118-623C-EA05-000000004202}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.762{5F3DCEF0-5118-623C-EA05-000000004202}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.511{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DBCDE04B6EC6D9C3A82702B44B316,SHA256=7165C56DB68D23187E7D21EAC17565EB8ED83F1E160296A6C11F2A03C83B998F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:07.999{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA2AABA30D0CA9448649FA3D0894130,SHA256=6C358C1577AB7F849C50DE87EE3CD5A2B33D7DC120F0DED297A4AD0EFA4A20F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.386{5F3DCEF0-5118-623C-E905-000000004202}22402484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5118-623C-E905-000000004202}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5118-623C-E905-000000004202}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5118-623C-E905-000000004202}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.230{5F3DCEF0-5118-623C-E905-000000004202}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.605{5F3DCEF0-5119-623C-EB05-000000004202}5046336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.605{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555588FC653504BBD61BE86FFA2EBDE6,SHA256=B63A4B779135DB54E41FCCA23C14AD4B108D82554C0DFBBCD65F24167DA522F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:09.092{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34203F279006FA74BBE6792560CA4B73,SHA256=AD9175C9316A46533D029B8AED5E0CA4BFCAA8349A7082182F0CF80F6BB703AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5119-623C-EB05-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5119-623C-EB05-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.386{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5119-623C-EB05-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.387{5F3DCEF0-5119-623C-EB05-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:09.339{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2042FB870888452BC4E336940E545769,SHA256=84C76FB7DD7019D8AB144420FF4FD5246FB64288312E248A23F955DB1E96EE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:08.875{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:10.698{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D0F51788F26C6747B1E62CAFEB3D70,SHA256=FBD869B6F9970CC80EE93539C738FA59A7495636ACB58D4C91247D39724FA3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:10.186{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD61B5C5699542D821F1FA515C01B93E,SHA256=3EFA1B97A8618F1C445461C50B9906A91C9A35E9D414391887D7A6E4B66F27AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:11.793{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFA99B9A455818643D87B1E6D70AA3A,SHA256=8BE539CD70F2F9AD419A6649EA150CC35450A78C567ED67DF112287131FB5919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:11.733{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-168MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:09.751{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51741-false10.0.1.12-8000- 23542300x800000000000000086685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:11.296{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3A0834C4CE1FC5B0C025573DB53285,SHA256=0949A3F59D08DC93DF1FE098C0F9C395DAE912974398DE026AECC0F47FC7CD96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:11.465{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:11.465{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.776{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C41482E4FDA4A8E50463C3A87C45DAE,SHA256=CB58FDA8F7286A08928207411A068DE26F647EBC685452F71E7F2CEA86C3B56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.747{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:12.389{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D766783E6D8DA86C888F8A294BF15F,SHA256=5687146C86D986F3860FF0D298D68BFCB7E79D02CCA694C3CEDA98334B5C45DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-286D-623C-0D00-000000004202}8841132C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000120975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.262{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe 23542300x8000000000000000120974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.246{5F3DCEF0-5000-623C-BD05-000000004202}6696ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup-roslyn.profileMD5=B94571AFE8588B489085F8D515B0A14E,SHA256=086379792B2CECE9EE7D8AC38318F10B982DDCC65771ACEC35A7A0F863853E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.200{5F3DCEF0-5000-623C-BD05-000000004202}6696ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xmlMD5=40C9413D681EF944D0DA16DC0B6F8053,SHA256=1D1A58BB48F1DD1C26FADB3B83572E242A1989116C1B0A185F0EC431BECB2216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:12.168{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-5000-623C-BD05-000000004202}6696C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:13.872{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1BA0CDFF09B891F1C05810087284F7,SHA256=61219366B7685BA1FEAB05D4CF2B84149B6B4B511C46FBCA197F9AB1B3582398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:13.483{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2F33FDD8DAFC39D62B93C682E7D488,SHA256=B559C7056AC5BA198FA2F45F030DD22DD3C2B5857FE10E208D13F71E1D1D37D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:14.966{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1082F128E72C6DCB5ED1DDCD774D0B36,SHA256=C6403A9E1666192EC8A6B9B4C81E15553D901D80FA4A4BF0E17D9D3B7830F169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:14.577{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EEF5928FEB43CE5F213297B6048464,SHA256=1F0653EF7EAF38D13846552183E5130A7CE142190F35E58DA0341A03BF1C419A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000120991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 11:08:14.263{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy.exeBinary Data 23542300x800000000000000086690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:15.671{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F0E1FCD168C05A976F5D0660B6B3C9,SHA256=67854E97C68A941815DEABA187FBABB0CE854AC1DF3848E19BF1679486D09947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:16.765{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE98C9688CCA55FDD7AA7D090B2C62,SHA256=1C9CE3B3FE11DAECFCE6CF31E5D9670BCBE28DCCF72E30AF27CE7CBD28DFE390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:14.877{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:16.060{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8E74F575DF54712F4E97210FB69C26,SHA256=52FCBD66B69FE093D71265D83F3D52DE5C1A80E8F6E1E3A5FA24AD61D38F59BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:17.968{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60EB1BD16DA398BEFB86665068F1074,SHA256=A954E824C9C4B10DAE4E59C240B92693236BCE0CC48613A1FA0E40BFCA8B1235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:17.156{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F30FCA5251115DB85E1046287D1D70,SHA256=77D3AD90D17744A07D293DC87279FE03B45511912054D86EDB90EDDDE905BEBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:15.657{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51742-false10.0.1.12-8000- 23542300x8000000000000000120996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:18.250{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D13FB50D3800F5A464B00305F09A40,SHA256=C02E8A92018640E8F7596B8CAEE3D00A0A36E462FFE3C64CE5046F6E91F7D7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:19.343{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D1D02E2D3387F53C4D1E730F95075A,SHA256=1040577857EBC2E65FC0E6C241DCD5D12AC4602FF886C3AA93E766D8CA3ACE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:19.062{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B62A3A26102B50BBDD4EA4DA6EC7DD9,SHA256=1C8FACCA4F69BF4ACCF27917D3553F139C47FDD03E33D7E4B8C2F201CB9CAFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:20.437{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8E69A7F650BEDDC6CAF520E442B196,SHA256=A0C8D823402B4D586B909265062AD390C5661AB6FEFF6209548F8BED93952324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:20.155{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7819D25475EDD14449B94DAE0CB4EFAB,SHA256=52336677211172D8F68212A14D32B08CD1E69330DCC8E303654A4A13BE36BFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:21.531{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA454BA5ED9AE6C0BF74F750B2500D8A,SHA256=07CDA17A8067840FEC70E5B490C125E6C0DDD6CBDFD740453A0C58F5B0EBFF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:21.249{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2CF4F914825658710DFAF6D884C5C3,SHA256=4E0BCDDFC246D2966C26E07AFAE93BF525A2B10D9A85B4A2200A44B14F172524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:22.625{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16166C2A91D19775080B041013701AC,SHA256=3414E04F3D4B398D50806A5B02335479D2E5F3FA9E4EECD41F425466DD6AD380,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:20.798{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51743-false10.0.1.12-8000- 23542300x800000000000000086697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:22.343{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF35C0DB80278E770519EF25EF00BD1,SHA256=F2A71B61F12960D8DF8466BBB9B10E51461B7290444AE96251E44FFCF632BB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:23.718{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C7945C8695E9AE08030824C18AADA0,SHA256=571ACA9A843D2453905EE14C18D0BCF8DC064A5EB720DB60030749F79DBF8C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:23.437{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82D0843A58BB4F6C3EA35465E0CB0EC,SHA256=4965B85B5B1BCDDDD7621D6B5963BDB642573FF54330A81C82FA53CDC92E7809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:20.863{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:24.812{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993CE077E4BA246ED5C683ACAC06D2AA,SHA256=FCC61506B4B521E8BA1585074F32489D5A727DBDB881B95823587C66D2B6E0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:24.530{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A736F2E23E1FDD7415E755C84ABE47,SHA256=0436A138F866655019EA7523606BF4976F1338CD3C5FF1232BD36F691516DE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:25.906{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753F157F7AE05FD699014D8871D78EBE,SHA256=07148C311A62F5C9D3D885A48C91151AAB27FD6D2E6868AC881A3C007C646A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:25.734{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DAA5A259A4BBBDD4F8760415115A2459,SHA256=D456CE7D23687A8A13B8CBEF7C15EDE02D3097120C5518FEF7625B87C0BCC88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:25.624{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257522D291532A057159F7BC54EAEE94,SHA256=9941E448996A363CA071EA7783B30B5E45A210B7E1D05265877A562EF72B88C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:26.718{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEE53FF66A3789CEC400FA712827DBD,SHA256=B6E10A439F917511412D1ECAF03EAEB12C65A1D803A5DF44A7CCB9160BCDE827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:27.812{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BEF5CBA35CE9D32ED26CCB88743A9F,SHA256=874D163B76C4CB56F8883DA9C45E2AB2171797381D6A05A6946EBCA77599EB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:27.000{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A172E131D9ACBF4B2782A56F632E6BA,SHA256=7122C54AE8A61BCB1E87F75CA9D462E4EFEA20CDCB300856F4E19A564C7BA920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:28.905{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190611BD9C50D3782AE82B3EC16DE8D0,SHA256=829A606114D830B03D1920CDCAC6A3F33FE5855B47610ED7A611B4BF337B41F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:25.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:28.093{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03B885C16B7278BDD4CC24290B8D47A,SHA256=BD2B1B18ED0B6D952CC5830300BA0912AD015975B20C4567FB05FF2B96E3AC50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:26.642{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51744-false10.0.1.12-8000- 23542300x8000000000000000121008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:29.187{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D08C2DC2DA33EFB13C1C45FAAAE687B,SHA256=9A53A6F27E9AF6B3A9D60D2E6ED1892FB77EB0C9BCB1596F5EC314587F777925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:30.281{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC10B97038025F944C699176AFB85D9,SHA256=89126B2B438F1B6551661E7BF4F3708ACA9393DBE3A50135AA76FF50B7BAD127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:29.999{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308B2FF50808885B1D7172FD28EB92D1,SHA256=1339005E70FA0EEEB3C8A7988F21D8BD8E8678871949F1C26E819A22881B1CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:31.375{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77F84B38C2FDB855CF54A3ABCB8F9CB,SHA256=902D3E6F5640FD12889168CA9B612C0C4430B010B43CA14A1603EA0592378A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:31.624{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:31.093{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EEA0AEDC1B8D0FF1C2145875D9DA29,SHA256=ED68B3B0AFDC96847C51603BFAAB16BD7DEC3C0EE06CAA8B70ACD381AB5F89E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:32.468{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989FA546D373834360A697BEA8550BC3,SHA256=B326E2BB6F23566873214BFC67AC06E885EA5C3B2EA9EEFAAE37F68E6311EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:32.187{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E98C046318A32BF6B1A3A30CDE7638,SHA256=3A2B2340FDEF83A4539C842609CF2698F31DEAE4F49AE7A3EF7236AF5DAA73EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:33.562{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FA8399757DB8B9B3D78C99F859B97C,SHA256=2CC228D4347B16AC35F25A6816CC31AAF27429E66209713A146C983AF2ED7557,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:31.751{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51746-false10.0.1.12-8000- 354300x800000000000000086712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:31.158{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51745-false10.0.1.12-8089- 23542300x800000000000000086711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:33.296{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0DE930631F39652276AE24B3B81250,SHA256=730B9E9E03C4C54E72DD10D17904ED5DAF7648EFBC5295DD80A84BE064ECEDEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:30.988{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:34.656{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E2653F72448340B588445FBA686464,SHA256=591DCA6603644D9B2FBA8371F93B43FEE6DFB3EED1AE0C9F4DE8715C3F7E1F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:34.405{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D7FCB30BE137830A2155A5E85591A2,SHA256=7894B8E37028BC88380F28F3159C9746FFB9CAFE2BD588EF8C18068A712342C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:35.750{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FF3825EA4E7DA09A5FC07EF0CD682B,SHA256=128C59A04C2048005FF6C6BBDD38E647A8D248160B9ECDFC34D57A132CDD386B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:35.499{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD733EB53AF735B639C50266E61F0362,SHA256=4AEE0C746F80A32E82CD82AC982BC96CC159A3A1D77B83D9B9F547BD9FF1B50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:35.546{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A7AD5B1507AD2D20F9F992D59C113752,SHA256=DB03B84FDE73DBA0E8C5007AED5D9821CDF15D0958886C82C8275B79FE197940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:36.847{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A483DDFEF60DA07BB452A399514616,SHA256=ED38AD489AB9A8F09FE305D41CDE4261C4D413557A0134A9E87045A66371E6AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:36.597{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B830691F46AC0EC0F1C232A5566F2E,SHA256=D59C92A3BCF87C3AA1CF5A10EDF86B73AD89A5FF6CECAD41BB797A55CF03B437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:37.941{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456CAE51D35015C25C8FAE56C1D7FA59,SHA256=E5A971D25696B0DFBF41044E43D543F687F87E8AE67D5113F18979D3801C3C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:37.690{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8131DCBBF6FF86E902881C26C6F870B,SHA256=54BDE076381979D8B50EB75280FC8925B66C0CB5537DA795A8065A5C20EBCDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:38.784{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77BD744A44E2104B743AA7AAD6C5BBE,SHA256=D195A670BB6B333563CF66B655D8EB5D67E68C6D00D3DB25E68D318908130D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:39.784{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917E147339871AB75FC0143FC12079B7,SHA256=EAEB155166D596BE83A7921DFA86BB0FF703906A75C6951A33CD388B4D963099,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:36.773{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:39.207{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7D54582CB3C81132A7387E4D1A3DFD75,SHA256=9B26630ED4C714AE41FECF08075A686DDBDA92F242E9E831E1E8D202D17744CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:39.035{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7951BD12086889A11BC9D2993B5169F7,SHA256=D8E4F4712A45B2A913B7A02165AF7C1B9196C616AE72B2970BA5B542479CCA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:40.878{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87626495C7DCB98A6F38C35AF4D29FD,SHA256=B0778CC24036D20DB680386FAE308DE734D901D4552B3A20C2B4DE16066C3D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:40.128{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D32586B10EDD522CD9B9E1BC555D5C,SHA256=65F2100E8851AA1A84A2D08C04F0DC3698314746020C71EFE4C51666D05A3B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:40.019{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=64671E6901856C31E57A5DF52961272A,SHA256=8281AC68662655CE12B61B29289265A48A29CCF8DA77DCC21DF27F57ECE5CEBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:37.630{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51747-false10.0.1.12-8000- 23542300x8000000000000000121024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:41.878{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:41.222{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE414F144A86D39FD4979B0DC97C520C,SHA256=373DB4AEB443CC79233C7D1F2A88491C798066738CB5E18AA6F90EDA37B443CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:39.304{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.38-31120-false10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal3389ms-wbt-server 10341000x800000000000000086739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.581{9531C931-2851-623C-0200-000000004302}304316C:\Windows\System32\smss.exe{9531C931-5139-623C-5205-000000004302}1540C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.581{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5205-000000004302}1540C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.581{9531C931-286E-623C-1600-000000004302}12161552C:\Windows\System32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.550{9531C931-5139-623C-5105-000000004302}33243672C:\Windows\System32\smss.exe{9531C931-5139-623C-5205-000000004302}1540C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000086735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.561{9531C931-5139-623C-5205-000000004302}1540C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{9531C931-5139-623C-5105-000000004302}3324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000007c 10341000x800000000000000086734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-2851-623C-0200-000000004302}304348C:\Windows\System32\smss.exe{9531C931-5139-623C-5105-000000004302}3324C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.534{9531C931-2851-623C-0200-000000004302}304316C:\Windows\System32\smss.exe{9531C931-5139-623C-5105-000000004302}3324C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000086723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.538{9531C931-5139-623C-5105-000000004302}3324C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000100 0000007c C:\Windows\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{9531C931-2851-623C-0200-000000004302}304C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000121025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:42.316{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51ECBFA05C2390974244798877BC55E6,SHA256=54EBB7637344F4C24C68D5710A73CAA49D341059F403981FC27DA307CA88D326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.940{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.909{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.894{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877FB3978F7E58A7B8237C2008ABD46A,SHA256=3538AC7A89717D51B3684EEF30213B48B4A72480C3BE848051C5220C950EC88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.894{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.894{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.894{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8B83AE7A3E2B7D477AD5C53A1AA26C2,SHA256=E75FC31A290431E4F453510C7AEF5EA72A793A728A149DF66841B5082CDDDFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.878{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=79A67A1EE36105B43D48C4BF168F5BE1,SHA256=0C6FA038BF05ED3D06DD1C997C888DC73ED8ED60CA250D7865A69EF442754974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.878{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.847{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.847{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.831{9531C931-286E-623C-1400-000000004302}9523608C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.659{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.628{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.628{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.612{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.612{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.612{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.565{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.550{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.550{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B17FDB06871226D891B46378C8D7D41,SHA256=1CDC3F5738E14F85D0385498E72A421490AFC7B42731F50DFC4B8AF73C80C3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.503{9531C931-286E-623C-1400-000000004302}952NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3726FE04E6DFF0CA2FB0320226A5A30E,SHA256=E40579F25F647FC6C3A934F2E373C18DB87C9B56EE4123F19D6806292D5AAAFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.472{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.472{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.456{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.456{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-5139-623C-5305-000000004302}38203156C:\Windows\system32\winlogon.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.402{9531C931-513A-623C-5405-000000004302}3772C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a57855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{9531C931-5139-623C-5305-000000004302}3820C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000086799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-5139-623C-5305-000000004302}38201620C:\Windows\system32\winlogon.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.403{9531C931-513A-623C-5505-000000004302}976C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{9531C931-513A-623C-59CD-320000000000}0x32cd592SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{9531C931-5139-623C-5305-000000004302}3820C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000086796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c880|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.393{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.378{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.222{9531C931-5139-623C-5205-000000004302}1540576C:\Windows\system32\csrss.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.909{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000086778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000086777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000086776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000086775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000086774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x800000000000000086773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000086772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:41.800{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 13241300x800000000000000086771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000086770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000086769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000086768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000086767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x800000000000000086766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:41.785{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000086765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:41.769{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 10341000x800000000000000086764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.628{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5205-000000004302}1540C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000086744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000086743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000086742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-5139-623C-5105-000000004302}33243672C:\Windows\System32\smss.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000086741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:41.597{9531C931-5139-623C-5305-000000004302}3820C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{9531C931-5139-623C-5105-000000004302}3324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000007c 354300x8000000000000000121029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:41.789{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000121028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:41.617{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000121027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:41.524{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR55210- 23542300x8000000000000000121026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:43.410{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04CEDFA782F135999D84A54A4CF87DE,SHA256=25D10A7A4E8B5D7C17B67E2D332F4403D6DBA0A30535A3B283BCA66BB7A4A6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1311D8108252A31AA13805F6189A3215,SHA256=66621ADBEDB7604D22094A849D6A61A8A45809FE15FEA21752770E288792C7E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.956{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.940{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-1000-000000004302}9163644C:\Windows\System32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1317|c:\windows\system32\termsrv.dll+6aa48|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000086949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.893{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000086943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+203da|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+5a18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000086934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.878{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286D-623C-1000-000000004302}9162872C:\Windows\System32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1317|c:\windows\system32\termsrv.dll+6aa48|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.862{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.737{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.737{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.737{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E19A5CFB81775772458712E708A9FC,SHA256=19CB9B4AE74D3E222B199304C815B18F94FA9AF1FD9EB149F896D5A05197A86C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.643{9531C931-286E-623C-1600-000000004302}12161552C:\Windows\System32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.565{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.565{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.518{9531C931-286E-623C-1600-000000004302}12161552C:\Windows\System32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.518{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1700-000000004302}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000086903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000086902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:43.456{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000086901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.456{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.425{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB4F4257D640F5940EC27B006AF25D3,SHA256=B7F4AC29874EE716352DCC0777A2F33C1EC94B58551BAA37DE42659A86008016,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000086897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:43.409{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000086896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:43.378{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000086891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000086890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000086889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:43.378{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 17141700x800000000000000086888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-CreatePipe2022-03-24 11:08:43.378{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000086887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1900-000000004302}1768C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-1000-000000004302}9163804C:\Windows\System32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1317|c:\windows\system32\termsrv.dll+6a72d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.378{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.362{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.362{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.362{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.362{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+354a8|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.347{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.112{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.112{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.112{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.082{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.050{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F77E866014EAD7E8036AFEC06B838C,SHA256=1CA1AD47ED03A6F55E1EF9B30779FCA3ECBD34C893D57E3556FC33268F89F7C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.003{9531C931-513A-623C-5405-000000004302}37723940C:\Windows\system32\LogonUI.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.003{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.003{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:42.885{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR64114- 354300x8000000000000000121060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:42.885{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR52549- 354300x8000000000000000121059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:42.883{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR61707- 23542300x8000000000000000121058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.675{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2143349EAF94E579E84A1662134C9E,SHA256=6A7F89C8505888C937AFB908E23D2E2E335A018EF426FB53DADB625F82AE0948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000087265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:44.956{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000087264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.956{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18EC6D674CEC67F21452041022F8159,SHA256=F28A2AE5D60FDDA64D1532DD642A3219F69439872378B4753EF50B87CBAEAA01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.925{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.925{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.925{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.925{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000087245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:42.808{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51748-false52.152.110.14-443https 10341000x800000000000000087244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.910{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.894{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.878{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:44.878{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000087230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.878{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000087229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.878{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000087228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.864{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.847{9531C931-513C-623C-5A05-000000004302}29841052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000087221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.847{9531C931-513C-623C-5A05-000000004302}29841052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000087220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:44.832{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000087216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.832{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286E-623C-1400-000000004302}9521248C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-513A-623C-5405-000000004302}3772NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.816{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.800{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4120B076286180BD67909380E3D9BC00,SHA256=635C8957BEE2400BF99EB28C8BBA3FA89436C7E9119512D22E5199A6FCC585BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:44.784{9531C931-286D-623C-1000-000000004302}916\TSVCPIPE-6b4d01e4-1e01-4f72-a22d-9660b2609311C:\Windows\System32\svchost.exe 10341000x800000000000000087187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.784{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedSetValue2022-03-24 11:08:44.768{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x800000000000000087179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:44.768{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 10341000x800000000000000087178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.768{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedSetValue2022-03-24 11:08:44.768{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x800000000000000087173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:44.753{9531C931-2850-623C-0100-000000004302}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x800000000000000087172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.706{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.691{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.675{9531C931-286D-623C-1000-000000004302}9163724C:\Windows\System32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.682{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 23542300x800000000000000087161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.675{9531C931-513A-623C-5405-000000004302}3772NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.675{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x800000000000000087159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.628{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA945E0A60C5B2EF462F4FF2D9D37A0,SHA256=0D2EA521DF28EBDAACD028DC28B06B95F9620D719D64B214ADE578A42438524C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5A05-000000004302}2984C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-513C-623C-5A05-000000004302}2984C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5A05-000000004302}2984C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.542{9531C931-513C-623C-5A05-000000004302}2984C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{9531C931-286D-623C-0C00-000000004302}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000087147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-513C-623C-5905-000000004302}1152C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+424dd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.540{9531C931-513C-623C-5905-000000004302}1152C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{9531C931-286D-623C-0C00-000000004302}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000087131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.347{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.534{9531C931-286E-623C-1900-000000004302}17683928C:\Windows\System32\spoolsv.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b773|C:\Windows\System32\spoolsv.exe+1b5d9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358ab|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1900-000000004302}1768C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1900-000000004302}1768C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1900-000000004302}1768C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+354a8|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.503{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.456{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8314F4010A8E7C7D2F51C6F7F09E0230,SHA256=9E0E5CA89643D9E03CD654C83E4C5304E39E71958405FE01489B4A7E7ECBA1C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286C-623C-0A00-000000004302}6203704C:\Windows\system32\services.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.440{9531C931-286C-623C-0A00-000000004302}6201320C:\Windows\system32\services.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.438{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{9531C931-286C-623C-0A00-000000004302}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000087065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.425{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.425{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.409{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.347{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.331{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513C-623C-5705-000000004302}2708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.237{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C85A7C51EBE65F502E9841514D9E34E,SHA256=0A48529ED6302E93891B855D128E59ED3FDA482E37CD8106870182D95AE319E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.237{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.237{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.237{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.206{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513C-623C-5705-000000004302}2708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513C-623C-5705-000000004302}2708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.143{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.143{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+203da|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+1614e|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.128{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.113{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.113{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.113{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.097{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CD3BA315071CF19C131F537B3143BB,SHA256=D53FCBE07BF8694003F078CBCDBD5152088D3310D2B92100232D121FE52DCA5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286D-623C-1000-000000004302}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513A-623C-5405-000000004302}3772C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:45.722{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF64F01D0DF002E2C84576506781347,SHA256=0A0830D03F1C791BB563761178D979E1AE009B9FDD705F7698AF0DAF4274A8E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:43.599{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51749-false10.0.1.12-8000- 10341000x800000000000000087382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.878{9531C931-286E-623C-1400-000000004302}9523488C:\Windows\system32\svchost.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.878{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.847{9531C931-5139-623C-5305-000000004302}38201820C:\Windows\system32\winlogon.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.853{9531C931-513D-623C-6405-000000004302}4044C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{9531C931-5139-623C-5305-000000004302}3820C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000087373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61EE21ADDCDF25CEB913BC589D7ABC5,SHA256=C3CFF1BEFCD6201888516CA92D5EA004F176498B78D18780CDAB9CB1CAE1692D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000087371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.534{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000087370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.534{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a01f64) 13241300x800000000000000087369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.534{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f67-0x2589e9d1) 13241300x800000000000000087368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.534{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6f-0x874e51d1) 13241300x800000000000000087367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.534{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f77-0xe912b9d1) 10341000x800000000000000087366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.378{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.378{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+354a8|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.347{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.347{9531C931-286E-623C-1400-000000004302}9523488C:\Windows\system32\svchost.exe{9531C931-5139-623C-5305-000000004302}3820C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+354a8|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.237{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.237{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.237{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.237{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.206{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3883E0EC9FCFB05AB4DDFDFE2E22D6A,SHA256=D4B140A6F27EFB2E3B8FE7F137D869945EED95066DC5DD6D75695408161E8BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-513D-623C-6205-000000004302}3600C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-513D-623C-6205-000000004302}3600C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.159{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-513D-623C-6205-000000004302}3600C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+107e6|c:\windows\system32\UBPM.dll+d3c9|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+82754|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000087347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.144{9531C931-513D-623C-6105-000000004302}24043816C:\Windows\system32\conhost.exe{9531C931-513D-623C-5F05-000000004302}3796C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.128{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-513D-623C-6105-000000004302}2404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.128{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.128{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.128{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513D-623C-5F05-000000004302}3796C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286E-623C-1400-000000004302}9522464C:\Windows\system32\svchost.exe{9531C931-513D-623C-5F05-000000004302}3796C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1700-000000004302}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.112{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.097{9531C931-286C-623C-0A00-000000004302}6203704C:\Windows\system32\services.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.065{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.065{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}6202360C:\Windows\system32\services.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x800000000000000087323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x800000000000000087322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\FailureActionsBinary Data 13241300x800000000000000087321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\Security\SecurityBinary Data 13241300x800000000000000087320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\DisplayNameWindows Push Notifications User Service_348780 13241300x800000000000000087319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\ErrorControlDWORD (0x00000000) 13241300x800000000000000087317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\StartDWORD (0x00000003) 13241300x800000000000000087316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_348780\TypeDWORD (0x000000e0) 13241300x800000000000000087315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x800000000000000087314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\FailureActionsBinary Data 13241300x800000000000000087313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\Security\SecurityBinary Data 13241300x800000000000000087312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\DisplayNameUser Data Access_348780 13241300x800000000000000087311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\ErrorControlDWORD (0x00000000) 13241300x800000000000000087309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\StartDWORD (0x00000003) 13241300x800000000000000087308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.050{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_348780\TypeDWORD (0x000000e0) 13241300x800000000000000087307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x800000000000000087306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\FailureActionsBinary Data 13241300x800000000000000087305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\Security\SecurityBinary Data 13241300x800000000000000087304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\DisplayNameUser Data Storage_348780 13241300x800000000000000087303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\ErrorControlDWORD (0x00000000) 13241300x800000000000000087301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\StartDWORD (0x00000003) 13241300x800000000000000087300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_348780\TypeDWORD (0x000000e0) 13241300x800000000000000087299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x800000000000000087298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\FailureActionsBinary Data 13241300x800000000000000087297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\Security\SecurityBinary Data 13241300x800000000000000087296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\DisplayNameContact Data_348780 13241300x800000000000000087295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\ErrorControlDWORD (0x00000000) 13241300x800000000000000087293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\StartDWORD (0x00000003) 13241300x800000000000000087292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_348780\TypeDWORD (0x000000e0) 13241300x800000000000000087291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x800000000000000087290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\FailureActionsBinary Data 13241300x800000000000000087289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\Security\SecurityBinary Data 10341000x800000000000000087288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.036{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.036{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513A-623C-5505-000000004302}976C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\DisplayNameSync Host_348780 13241300x800000000000000087285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\ErrorControlDWORD (0x00000000) 13241300x800000000000000087283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\StartDWORD (0x00000002) 13241300x800000000000000087282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.036{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_348780\TypeDWORD (0x000000e0) 13241300x800000000000000087281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x800000000000000087280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\FailureActionsBinary Data 13241300x800000000000000087279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\Security\SecurityBinary Data 13241300x800000000000000087278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\DisplayNameCDPUserSvc_348780 13241300x800000000000000087277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000087276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\ErrorControlDWORD (0x00000001) 13241300x800000000000000087275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1031,T1050SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\StartDWORD (0x00000002) 13241300x800000000000000087274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:45.019{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_348780\TypeDWORD (0x000000e0) 10341000x800000000000000087273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.003{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.003{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.003{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.003{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:45.003{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:46.816{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087897BADF000FF097C8739DA8816398,SHA256=56AEF230EB0DF5BAD674F84DFD9DDE86D2D89792F8AFA6B9340CFE9F293957D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.927{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR60844- 354300x8000000000000000121063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:44.603{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR56423- 10341000x800000000000000087412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.987{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.925{9531C931-286C-623C-0A00-000000004302}6203704C:\Windows\system32\services.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286C-623C-0A00-000000004302}6202360C:\Windows\system32\services.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.918{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{9531C931-286C-623C-0A00-000000004302}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000087402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.909{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.893{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.893{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.784{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.784{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.784{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etlMD5=184FA94EBB57B2609A3F5C014A01CC0D,SHA256=DCB008A7EA59EDDC58DF5FA0C952752415AF5C8017DE4535C9DE1683B1A386D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.597{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991D5EF1707248B4BC45B3D887BA87DA,SHA256=D3C820375294AAB39E059AF6C16F22E10EB22B888074BFB2C7561C48076130B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.409{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.300{9531C931-513D-623C-6405-000000004302}40441876C:\Windows\system32\userinit.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.018{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{9531C931-513D-623C-6405-000000004302}4044C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x8000000000000000121066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:47.910{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE7B9CC9E829A5426DAB925023E6453,SHA256=817AB8A249B629A83B0D1726652151FEA85BDE590EB72DB86217EC01CDBF7590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.956{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78CF00767334AC9F4E9455C97E40F8AF,SHA256=F1E47009BF45689B9835931B973BD845A4D318619BA60EB3DF7556CCEDFF16D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.925{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.925{9531C931-513F-623C-6805-000000004302}39243048C:\Windows\System32\ie4uinit.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.937{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 10341000x800000000000000087458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.909{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.878{9531C931-286E-623C-1400-000000004302}9523488C:\Windows\system32\svchost.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.878{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.737{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC4D9F932AA6D6A66D2B9F9480E1587,SHA256=ABF023CAA8F5A44D9FFD871C2B4982B7AB545F0C8C28A050F8E9949378E566AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.706{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000087453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.706{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000087452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.692{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.692{9531C931-513E-623C-6505-000000004302}35882640C:\Windows\Explorer.EXE{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+551f64|C:\Windows\System32\SHELL32.dll+5519c0|C:\Windows\System32\SHELL32.dll+551b34|C:\Windows\System32\SHELL32.dll+23068d|C:\Windows\System32\SHELL32.dll+230548|C:\Windows\System32\SHELL32.dll+106b71 10341000x800000000000000087450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.675{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.675{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.675{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.675{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.676{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000087445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.628{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.628{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.534{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.534{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.425{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.393{9531C931-513F-623C-6705-000000004302}21641492C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.393{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.237{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744C87C78B8C264BD1434907D7149C96,SHA256=5BEB224F088F5A1E2FFC4E181EE5A5E6C9BE124A18843779ED4CAAB03C22C383,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.097{9531C931-286C-623C-0A00-000000004302}6203704C:\Windows\system32\services.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.081{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286C-623C-0A00-000000004302}6202360C:\Windows\system32\services.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.065{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-286C-623C-0A00-000000004302}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.050{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.050{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000087422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000087421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.034{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.018{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.018{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.018{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 354300x800000000000000087416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:44.842{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51750-false52.249.36.203-443https 10341000x800000000000000087415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.003{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000087414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.003{9531C931-513E-623C-6605-000000004302}7801544C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000087413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:46.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.987{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8431F64BCF5AFCA6434EAAE29437A82E,SHA256=B74855AD67BC7AED08FC02A244F194EA019D688075098008EBAE3F43C57260C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.910{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\Favorites\Bing.urlMD5=5D42DDDDA9951546C9D43F0062C94D39,SHA256=E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.878{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:46.899{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000121067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:46.634{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR51522- 23542300x800000000000000087622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.862{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD72B59089EBEC6EF8F95F4870DD565F,SHA256=3111250C4175AEC089CE02BF7CC5A4412FBD7D194B51D1416FAEBF85DA0C349C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.862{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.862{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.862{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.862{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.847{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2022-03-23 10:15:59.769 23542300x800000000000000087614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.847{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=9902BAEDC06FA4A8681E696EE6C73C06,SHA256=D0628FA63102EE74053BC6EFDD297AED794848F5DC300DAA7E391F4CF04E8511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.bakMD5=840DF767CAC9367CBBFD774EF011EAF3,SHA256=B2BAC5F3DE47D5C7ACDC0F8AFC4FFD4740260880C0A0CF4E4383495AB1AA98DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2C3B.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2C3B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.815{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4EB636265CCF841FE24F17F0E202E5,SHA256=D0D8BF9067AEDDC02674FC43694AE94C5E22C47FDC6800231B5AB73B403F22A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.769{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.737{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.628{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+2640a|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.581{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAA59CFEA53926259C5B327D5575F90,SHA256=16A3F1D482315EF2B8FA8AF1FF7A58935C3D58EC1F79DA20E4901AABA0B30AFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.393{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286E-623C-1400-000000004302}9522720C:\Windows\system32\svchost.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.378{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-513F-623C-6905-000000004302}33202488C:\Windows\System32\ie4uinit.exe{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.343{9531C931-5140-623C-6B05-000000004302}2940C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000087491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-513F-623C-6905-000000004302}33202488C:\Windows\System32\ie4uinit.exe{9531C931-5140-623C-6A05-000000004302}584C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.336{9531C931-5140-623C-6A05-000000004302}584C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000087484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.331{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.143{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.143{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513F-623C-6805-000000004302}3924C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.143{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI298A.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.128{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI298A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.128{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI297A.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.112{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI297A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.112{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI294A.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.081{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.081{9531C931-286C-623C-0B00-000000004302}6282684C:\Windows\system32\lsass.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.065{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E100BF7EA57A41D5FF10DD420E5416E7,SHA256=C447DFD3E24F08E6433DE2379FA16E01117E9DF2D2DC69D580BA1E62EFB34F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.065{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI294A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.050{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2929.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.034{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2929.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.034{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2919.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.019{9531C931-513F-623C-6805-000000004302}3924WIN-HOST-TCONTR\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2919.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.004{9531C931-286E-623C-1400-000000004302}9523488C:\Windows\system32\svchost.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:47.987{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-513F-623C-6905-000000004302}3320C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:49.003{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CECD786BB8EE54763C3321A42E8ADC9,SHA256=923FA5E272D4C7DFB6B11CD051843E378C676D4A551A3D1CB283D7C352484AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.862{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C8BE1B1FC5CAC276D94273F5D3E6D4,SHA256=710E2EF521774FB9FCCF4A866F351F98641FA79230A6969EB1AD6E22777F46B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.862{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.862{9531C931-513F-623C-6705-000000004302}21643792C:\Windows\system32\svchost.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+15830f|c:\windows\system32\appxdeploymentserver.dll+ae5a4|c:\windows\system32\appxdeploymentserver.dll+929c4|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.869{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-513F-623C-6705-000000004302}2164C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 13241300x800000000000000087869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.862{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 23542300x800000000000000087868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.847{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFa02ffe.TMPMD5=B781C14C5D319D8C6D5A668AA13CD5BC,SHA256=336F8048BD1C7FCB55199574C11716F1BC3C438E8D329C157385EC33C783196B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000087867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{71885467-CD7C-4DE3-9A3B-AE42EAB05A5E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000087866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7FEDDF78-ADF9-4D35-B456-519834F81B1F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000087865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0D01A93F-42BB-48BA-8DC1-BC8A26D957C4}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000087864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{192FCA5A-368D-49D4-AEDB-FA558FE78D0D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000087863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0CEFF47E-CDA2-4B9A-8E2E-04FE93D3B79E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000087862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6CAF6851-4986-4526-A4C5-8B1266ECB1F2}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000087861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{318CBB48-F695-4AC8-9E50-BD4193A27154}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000087860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C7074C75-B60D-4F6E-BEA7-C1CED6A2D0D3}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000087859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.831{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1EBD6368-AE3A-46A1-A760-F2CAFBAA5EDC}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 23542300x800000000000000087858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.802{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.802{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A7FD3C0A48A5062161B4FD06D710A3,SHA256=66F032753161FA3D49966D19BB6897D1C0B6504BB269FC7B32635865EFF0B234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.785{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.785{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.785{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.785{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.785{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.770{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.770{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.755{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.755{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.738{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.722{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFa02fa1.TMPMD5=67183E7390505E8A2A0EDA817AEB25A2,SHA256=0FE5DD86CD04F1B4C1E357FFC5BDB309AB724C18E537DE3E442C75178CAA0FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.690{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.643{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.643{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 13241300x800000000000000087801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.612{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{95D79391-5C06-4B6B-BFB0-000D764B3A3E}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 23542300x800000000000000087800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.612{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFa02f53.TMPMD5=5C4457BD243B565CF7571398F9C07277,SHA256=FA8CC14AC5FB4E65ED5673408550EEFABA7844F3B56B1A1D50559D46E819E7E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000087799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.612{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DC2DC5D8-75B7-422B-A77E-5A7950CB0666}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 23542300x800000000000000087798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.597{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFa02f33.TMPMD5=CE4EA1958BD7A54E6FFE7BD3A599A642,SHA256=6672E28A3AD07202118B42BBAC559D6A65AF8B3829B7AEB2F18B3EB70027DEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.581{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFa02f33.TMPMD5=595763DFD2DAB977091A843EBCF1164F,SHA256=C7A2B95661E15C18F8407CD81FBDE33356781C26DF3C60ED914AC534D35CEF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.581{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.565{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFa02f14.TMPMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.534{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFa02ee5.TMPMD5=D252F6F15CAEDF365FE2BA1989DBE20F,SHA256=82FB3B41C3D72F27391B1D27B42C99932F26CF5C6E817B65AF5AAD293BC24ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.518{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.503{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.487{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.472{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.472{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.472{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.457{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF4B007A177D074DB4C5CA93B13C892,SHA256=6378B84446E6EAF476A07BBC92B60C60DC6791CBE797B77B5AB3A30B65875FE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.440{9531C931-513F-623C-6705-000000004302}21641492C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.440{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.362{9531C931-286E-623C-1400-000000004302}9522720C:\Windows\system32\svchost.exe{9531C931-5141-623C-6E05-000000004302}692C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.362{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5141-623C-6E05-000000004302}692C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.347{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB881EBBAAABAD2BBA9758414309EB5,SHA256=11A41639AFA372A867ADC982E8CDB07FA60214C7CABD0942DF3F5BF83D34E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-5141-623C-6E05-000000004302}692C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-513E-623C-6505-000000004302}35882640C:\Windows\Explorer.EXE{9531C931-5141-623C-6E05-000000004302}692C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+551f64|C:\Windows\System32\SHELL32.dll+5519c0|C:\Windows\System32\SHELL32.dll+551b34|C:\Windows\System32\SHELL32.dll+23068d|C:\Windows\System32\SHELL32.dll+f82dd|C:\Windows\System32\SHELL32.dll+106b71 154100x800000000000000087739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.333{9531C931-5141-623C-6E05-000000004302}692C:\Windows\System32\unregmp2.exe12.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=0AFAF8B10C3D2B009DED280C875EA3EA,SHA256=CFC5A8170AF2CCB8F846BA738E5173596A4C35C023BCE5E6EB04E07779283188,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000087738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.331{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5141-623C-6D05-000000004302}3944C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5141-623C-6D05-000000004302}3944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5141-623C-6D05-000000004302}3944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.315{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.284{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.268{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.253{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.190{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.175{9531C931-513C-623C-5A05-000000004302}29841052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000087671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.175{9531C931-513C-623C-5A05-000000004302}29841052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe{9531C931-513C-623C-5805-000000004302}416C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000087670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.159{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x800000000000000087666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.159{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000087665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.159{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{80B48BBD-A10D-4DD3-9C11-8C1DF30D44AE}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000087660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{47D5950B-CA7D-4060-A594-42845B9B2492}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000087658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{91368E9F-842D-43C9-9E6B-FBB43E5E0A94}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000087653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C9813E09-2FFD-48DF-BF7E-F6F555043B4F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 10341000x800000000000000087652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CD1E70BB-420F-420E-B423-715F14B91EBF}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000087650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1A728FFD-AE1B-445D-8478-0763397B2D42}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000087649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CC3E368A-3445-4CCF-827F-F4003F30A1A9}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000087648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CB2C7DB2-14BF-4C4A-944D-FF283EF7ED19}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000087647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.144{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{ACDD13A7-E23B-469E-B263-93E48CA08839}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 10341000x800000000000000087646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.144{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.128{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.128{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.128{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.128{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.128{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.112{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000087631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:49.003{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214F9-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000088077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.925{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=006B1BF929F2A82B7AD00727A9F1623C,SHA256=A9F72540A0C0F03453F87AC641EB31BF401D6BE7A92F4615E9C49C7725BC3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.925{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=203D482240E2A13DE24F8F82A9037348,SHA256=5B64FA6B42BE7F59D4D48C4C85ED73B9311003133E8F02F04AE6FA198CD81ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.925{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\appcache[1].manMD5=5F027173844AA0ED63AE4AC12D3B615C,SHA256=72ADFCEA238F8F0B956A60BED2C609F825973CA4D52B5D92E3D41C51E15B40DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.068{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51752-false52.249.36.203-443https 354300x800000000000000088073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:48.724{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51751-false10.0.1.12-8000- 23542300x800000000000000088072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.909{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.894{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E277672FACC060EB863615C94C57754,SHA256=448B3D1CAA19C7DF42C1684514BC9836D4598F8DB5A1B16EC4CF586D90722783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.800{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.784{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.784{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.784{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.768{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.753{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.706{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000088048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.690{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.675{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{085FF3D7-9602-4F20-B08D-1BE328B87431}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.675{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{04268421-4F8C-46AE-9409-66EA7BF98F15}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000088045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.675{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{40C2F651-34D3-4110-8C88-29C80C8C1954}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000088044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.675{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E517B508-F5D9-4767-A490-412AAA09904F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 23542300x8000000000000000121070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:50.097{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2BC4BCE5A62C8E10667B79D356716E,SHA256=81E1BA15A90F2203DF8874B0CC11CBF05793BA5D75FAD0EE56A6F6A524D02DB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.628{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.binMD5=2477E1067EE108D32AA262307A357732,SHA256=C1A0FD9DA6CCA70C5D69C4E62FBDC08EBABCEAB018611E869B6F78EBABE9E640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.628{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.binMD5=1454E96AC56B9536AB32CCA75F5E5D45,SHA256=9568E2708BEE9FE90D3D981F9D52415DED574A95BF9525EEE961A2467C9F5325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.612{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.612{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.612{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.612{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.550{9531C931-513C-623C-5C05-000000004302}25563312C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000088027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.550{9531C931-513C-623C-5C05-000000004302}25563312C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 23542300x800000000000000088026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.534{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A5B190D8FD08C274E67964BA60D369,SHA256=4A57956EFB4010ECD70140EACE2C933E273CF5771B29B87C4A241390D910EFE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.487{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.472{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=08D33FDECF9DFDB3AAA55E46F4DDF872,SHA256=8890B44AAD4579F4798FAE71AF174F6AA9BF78A2556F77174D8B4E457E600EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.456{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=134B2FB2E7188ED9BB83131C1F4907FC,SHA256=1D1EC260A84B289FDCEA6A538DE14870922F2FEDE4B45E10E138F239A8353562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.456{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FBB3E8074C612A55A0FED92A8A2243,SHA256=61A47793B58D67AF4609AD8C17537F7E1B0CFB10D047FC6E8E66BDC10B13BF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\855533271\3923659455.priMD5=2D61605026CA74ED5301578606464552,SHA256=84019A9745D574D378277A1084C237265451F0C45196348372A715711610EB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.393{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5142-623C-7105-000000004302}3248C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5142-623C-7105-000000004302}3248C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.378{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3248C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-513E-623C-6505-000000004302}35882640C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}3248C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+551f64|C:\Windows\System32\SHELL32.dll+5519c0|C:\Windows\System32\SHELL32.dll+551b34|C:\Windows\System32\SHELL32.dll+23068d|C:\Windows\System32\SHELL32.dll+f82dd|C:\Windows\System32\SHELL32.dll+106b71 154100x800000000000000087997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.368{9531C931-5142-623C-7105-000000004302}3248C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000087996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\3339743440\902793749.priMD5=98C999EAE532EE8FCB19ED482C1C0B6B,SHA256=081F850F71892C895B1808104D3C2B5293448F0F6B9E5003FD1D69DF5BD8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.362{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.347{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000087982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.347{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x800000000000000087981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.347{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 23542300x800000000000000087980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.331{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI3217.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.315{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI3217.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.315{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31F6.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000087976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:50.300{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 23542300x800000000000000087975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.300{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31F6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.286{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31E6.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.286{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82B61F6659A10E8449E2AA70494CF5,SHA256=1A7514170790CD6D3041F6282C41A8611207237009645146087EF7924D792222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.268{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31E6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.268{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31B6.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.268{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C94CBDA2F5DDCF535FB29FC1CF0C23,SHA256=5D3EA2B9187D190F2AB139B3BDA521432FBDCA2E14999BFD403F4DCBF0A67319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.237{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31B6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31B5.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31B5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31A4.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.222{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.206{9531C931-5142-623C-7005-000000004302}692WIN-HOST-TCONTR\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI31A4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286E-623C-1400-000000004302}9522720C:\Windows\system32\svchost.exe{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.190{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.175{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.175{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.175{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-513E-623C-6505-000000004302}35882640C:\Windows\Explorer.EXE{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+551f64|C:\Windows\System32\SHELL32.dll+5519c0|C:\Windows\System32\SHELL32.dll+551b34|C:\Windows\System32\SHELL32.dll+23068d|C:\Windows\System32\SHELL32.dll+f82dd|C:\Windows\System32\SHELL32.dll+106b71 154100x800000000000000087920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.172{9531C931-5142-623C-7005-000000004302}692C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000087919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.159{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.143{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2022-03-23 10:15:57.702 23542300x800000000000000087915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.143{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnkMD5=859920D477EE7ED0174243DFF586E5E3,SHA256=1F8B2760E210762D02665D55224973A3EE73E43B7E0F5398AF35E86861B7CB50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.128{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2022-03-23 10:15:57.718 23542300x800000000000000087913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.128{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnkMD5=D5CF13D810C697DFC19F42E6D44FE391,SHA256=CDE1DBC52A9ED24304BE4A6EB10EBDD3C80F7016F136519CA3504F04539988E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.112{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.097{9531C931-513F-623C-6705-000000004302}21641492C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.065{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.050{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.034{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.034{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.034{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFa0305c.TMPMD5=235F5690A60DCDD695386F216A899418,SHA256=639B8E6E2FD24C4763F35F12F4E236666B7A5852D817271437282EF54F0699D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.034{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58D7E4CD9F6BA5B1B5DDF4B8B208FA,SHA256=D4CE6394668FCF46AD7EE4FA37D74A52ED8210AC881F49F9EA72F2266F63866D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:50.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.987{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.987{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.987{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.987{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.894{9531C931-286E-623C-1400-000000004302}9521952C:\Windows\system32\svchost.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.894{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:49.862{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000121071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:51.191{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2D31528440843419C9525F46531E8,SHA256=ED497E866C2D70C7BEE94B223675C88D95AEB81DDA9E17B06DE838FCCAAB627E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.940{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:51.940{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe\REGISTRY\A\{a28d1d73-bddb-6f72-400a-31f7b2da58f0}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2mouse0\DriverVerVersion10.0.14393.0 13241300x800000000000000088227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDB-DriverVerSetValue2022-03-24 11:08:51.925{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe\REGISTRY\A\{a28d1d73-bddb-6f72-400a-31f7b2da58f0}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2keyboard0\DriverVerVersion10.0.14393.0 10341000x800000000000000088226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.893{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.893{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.893{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.893{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2314E8CAB4D27BAA7F210D6957EF2935,SHA256=0B36ADF86B22C852E2720A39BB47503FC2CD5A867A54212F970F52EDCAB94CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.893{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.659{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000088220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DC658A99-B1FF-447B-AF53-B7EA2EAB1555}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 13241300x800000000000000088219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{994D156A-3B72-4654-8FD4-BCC869DA9309}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{084EFF1A-473A-476D-AEB8-8DAF6BB0C936}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000088217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{94E98475-DD66-4383-9D5D-9542B3B69918}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 23542300x800000000000000088216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.628{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25C3EDE68C79846D294316F18F842DE,SHA256=C20D2EF7D6AFCADE2DF3AC51BF33C27A325AA7AD7D59B3985A1C6B4BEC94AE25,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9351BE05-375F-4B71-ABE7-E49375E37504}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000088214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B05729D9-CBEC-405C-AB77-DB24FA7D3CA3}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000088213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{101A8F89-146C-4687-847C-177FE30D7E14}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000088212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F0D9E938-D4E9-40C0-B4FD-9CBC496BB6B1}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000088211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D0DF55E0-BE62-487E-85C7-99F9E67DF595}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000088210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:51.628{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F5E7192A-10ED-4802-A435-F9369225F06D}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x800000000000000088209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.597{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2MD5=F045C633B9340D27547D12EECC7EE0B9,SHA256=9D04CBA5F699DF1AD06BC5541F85917A856292F181493393EC89EBF2980A1B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=CD0B1FDF28910E391492F4807B474473,SHA256=EF923067C3091E773EB086A786D5E2FCA53B01EE8CE0A2EEB6704C85935CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.datMD5=9C746CF42DB3B621537D8310CE3D4BE1,SHA256=52D93909D30105CE61FB14BD32AC9473BC627199AA83808B337F6D874CC46FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.581{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.565{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420250026721327.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.565{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420249992652675.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingssynonyms.txtMD5=9239D33BCC9C55C4D97DCAE64A7E2F5B,SHA256=D147C9B76ACC226324DEF206D680C3368109018BE254FD1399C8E2ED2C3D77E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsglobals.txtMD5=D2D6B108ED635B192276F2E13160BB9F,SHA256=598A2674BE811C1256B0E18311CE5CBA2A542D0965FF4A0AC96173CE78A4C575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.550{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.535{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.535{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.schemaMD5=AC68AC6BFFD26DBEA6B7DBD00A19A3DD,SHA256=D6BDEAA9BC0674AE9E8C43F2E9F68A2C7BB8575B3509685B481940FDA834E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.535{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.csgMD5=A97FD910ECCB1049B949DF2B6D0EA605,SHA256=B84B14439AD5607B15A96B922CD63EA6C8CB1281BF3B84037C5CE90FBEB29766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.535{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appssynonyms.txtMD5=E86D86E41327A21E2448076DD6C97A81,SHA256=A3DC890A9E3D99D3336455F0CFD94ACCAAD69242D0A1C8649AC82B8E1F8BB6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.535{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.518{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152E196D09EE69A05F27E32917DA97FB,SHA256=E2C92486D38ABE4E5FB1E7B99343152F8A8DF6019ADEE119FC1ADFA1E07C6E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.518{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsglobals.txtMD5=5925E930562DA940101DE785C1CBC5B3,SHA256=B6C3C8B85CECB5743E5A62C706152F83606B5690F0926B5CC16D29CBFE3ED39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.schemaMD5=1659677C45C49A78F33551DA43494005,SHA256=5AF0FC2A0B5CCECDC04E54B3C60F28E3FF5C7D4E1809C6D7C8469F0567C090BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.csgMD5=FB7202F6D377FD89C7B261E34D680D33,SHA256=839D24F509CA8BF8737074BF42E83A88A32EE3760BD34BBA2A7CF6CF482A1C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.487{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.487{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.487{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.487{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.472{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.472{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.440{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.440{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FEEDCB9B-F3C5-495B-A8D7-84F79D27D88E}MD5=9FCDA9AF0663B95421B2DF4DF2E1B9D4,SHA256=B3003B1A6220FA0F3390E2F297DFA4209C45C3D8FB9B55ABBA2507792720A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.412{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FE283CE6-7678-4BF6-BD45-D855B6683130}MD5=3E30C6D0FC6DB0EE27A19FCF25DF566B,SHA256=EA12C2CD052FE46441BCC9C4FB81D9D52C1FEE3AEE762C09EB2FE34D19B1D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.412{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E79AFC5E-81E0-48C0-B2B8-B0755C4E824D}MD5=8571A37EA5341C6306283678D6D7B3F7,SHA256=DA51B889B504FE15B3526AA6A87A4A9843989F4EB6D32CFB205861A223030B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.393{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E46F3460-B4C6-40F2-9BF2-B4D9A4F6ED86}MD5=DB04268CDC55A7FE26A2F145F86BF875,SHA256=CFACBA24A15CFB163790F9C67CDB2B2CC82CE006B9E32AC8687DBFC7DB69B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.393{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E28967A0-A00F-44F4-BEB5-D1DC1F682F91}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.393{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E1C5F6E0-5D96-4432-9C54-B630B005F17D}MD5=A220E6F69189C7C262EA46B8EE8E6FE4,SHA256=556020DC6EFBDBF8054FAEEE15519516CBF2B11904D5AF9E04D041D7480BCA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.393{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{DE7873BF-B56F-4465-AA14-AD810677CFF1}MD5=5E62597AD6E77746796E3B8571490D14,SHA256=45FB70B917C807BEFD513465866C4D27A4E869DA31182CDCF6D314DF224EB651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.378{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D7779C65-D55A-4E6E-AB28-222AD101D61C}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.378{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{CAD3CFB0-7CDE-43F8-B95D-98E958A585B7}MD5=41ABD480C1392D97DF3ACFFE760D2804,SHA256=7BEF858DA7D8B87F8E4C7804731E91AF5618DF4838EFC2BE398F609078268479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.378{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{C5DABA0D-CF94-465F-9B6B-C598EE8CCEE8}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{BBD6B771-DF9C-48D4-99BF-77C177FAAD05}MD5=ED16924B1B7A952B1CB20D8515BEBB70,SHA256=6966D629DD24B6904DB8AA9C9F06197706E039848C15BE8FA738E4ED25F06B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B69C64CD-23EC-43CB-8DAE-EB6560EAACC3}MD5=A461B8A48DB3B6C08E072140728A43C4,SHA256=21C57136A790877DA3640B5691C0F651D503D133B2B6936F5203BEE3F30A9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B59BA0CB-7100-4018-A4F9-D539D5F4E058}MD5=DA594A38AD299ADA683372EBA5881CAD,SHA256=F0529ED98871CFB5607C993309D0A3DDB84CE36EC2E41897CB6BD8EB683711CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B4D06CEE-9D19-4A4D-B72A-396F2B566927}MD5=5F0A30B2DC6750BA2867B7BC006BD8FB,SHA256=9051D648449406B051B8A06D3372962529004EE159132D437E89AB6AEFA8A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B14CA865-C958-4580-9074-7E92964475FC}MD5=73252311BC2FB738EA33277A28F3596B,SHA256=7B6EA44D32065F717612C79F94114F9259C08D5465EBC007F16AEA92FD4D1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B0DD03EF-8C20-43DB-BDD2-4CFAB623574E}MD5=74017CA605E121CBA7CF92459B8C5638,SHA256=A4B6642597D4E32EB8FAC89CB4450E226C3978F963BDBFE95ECCAA527F1E8EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{AD913853-B212-444B-9876-3E2C3A49A8EB}MD5=206A73951B8654BD2B70962A78C00BE1,SHA256=19DA4F01CBB9BFDD977E06AF58B95CEC1D4A027C776A178469251B5F0B9D9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A5400422-73B1-4B93-91A9-72E697208472}MD5=00B94F495BD57E421FEF46D7A1EECF44,SHA256=3C1C7F8A819B758DAD75031F99AEF06C94B418FA2FC199F82BFAE815483E11C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.362{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A4E61E50-3EF0-4DA6-8275-CD489D676DAB}MD5=2BA0F2705632CB30D7BCA6DF8D087F2D,SHA256=7E47070E9ED1DFB752DD755B918F943B0B231C0885F55DF05EE82470595E3022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9D07DE99-52F7-454A-8CE6-31DA9AA94ED8}MD5=9456CEECAC6A1245C482C3B82593846D,SHA256=963DE82340F63CFB27DFDD15CD5643FE93D6C0AADB0B96B7923F0E23815F10CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{98C2D61D-6107-43E9-BCD8-6EB83D77ADEF}MD5=60FFAC14CA2196E3D54342C4C45F7C2B,SHA256=9979DFF1E142B348644E5C7735FCD13D8871408DCF4E0913D9FD9A3EC8436C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9485A429-81C2-4352-A24F-92682A765D4B}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8D75FAE0-23F9-47DE-A54A-C2427D45DCAC}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8AB7F553-0827-496F-B610-82D31E06AC96}MD5=A2C26EBC40D4625D952314673C6141E9,SHA256=902AC55382C57835ED2151549B7D12211436E67A63B3B0E44FB384A661228729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.347{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891D5E7A-7A57-4CBF-9089-443EE49B6103}MD5=911DEFC897CECC2D0C78E5B96D5D515B,SHA256=965BD9A6F5738140EB5A51EFBC44129112C25FC82825BA7F30113602A6E8C902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891649DE-3DE4-49E5-90AC-0987EA95353B}MD5=05F75F6404996B3E39476104E78DF209,SHA256=1E4258113A2D151783ADB9D626D38E7F67CFAB9C79FE14B27E07170081D145C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{84B49252-6DEC-40A8-90BE-86AE577E1B23}MD5=55F95E08D08A7A3768F27800D9217B04,SHA256=37F9BC821FDE92326D617E96AA6ADB2DBE7EB2666B1A88451F9410B80A774377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{829BE0F1-69E1-42FD-A3B6-359E1C3C1345}MD5=B467C6E316631A8A0420CB9F40222D93,SHA256=55336E857424336DBC05D5B2B96AEAAE4D296B1D6D5B031A5869B25143624085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{80A3BBAD-ABC2-4C9D-86E6-B04FA287F655}MD5=4174344A2D19128BADE81E2EB14BDC1D,SHA256=FC6C1C04EE333CB336B7DC428C25B995F7B85F49ADBDC88EBC7262C1307885FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{74B164BF-3E71-46AF-8ACB-AAA4A76A5378}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.331{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{735E8BE6-1731-42CA-A8F3-B53E930EDCDB}MD5=18E3CA8C6CCA69E00EC76747FAB81F0B,SHA256=08148891128E558A6C3CD3EEEE68457F3D1A10F1A2720DE0A4E27D1543A4F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{72CE2732-257D-4200-8BC3-7ABC84224683}MD5=854754F8D9E7F7D9AAF2FA7F6BE1A1EF,SHA256=E6F4EFACF3E1CAD20C8245C7B9408E2BE2C2D6FD70B781F48A4BA22F067ED731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D1CC60E-42DB-4A1B-A50C-DC1DF51BFBF1}MD5=5E74B43DD59C1AB6F5244DA6154DDEB4,SHA256=DB8971C2F98690196197BC5A5875D3233E0FBC7B512BFA60659E67D5296FE080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6A253CE4-5CE2-4926-BF13-2F00787D2097}MD5=D9E99905D3D6FB42429AAF5DE84FCADA,SHA256=B8359F6E6BC9E16731B65A9F8253C86E846E9C1F951B1351CBD649FA6E286BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{552E6613-D145-4B51-A24E-3C8B003E24A4}MD5=C359A6183B25EF8221256AFEDCE656B8,SHA256=E9122C2C02DEBBB1AFF1FBFE30465AFAA0CFBD4EAE9C10AEA58A6663DEE9EE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{526402D0-291F-4761-931C-0273D14B2CF0}MD5=0CE681BD1598F07606E87609151DC42A,SHA256=1334CF9557C973A9F6AF7280C8C165C434A24947DE6E1647B27E62CB822FF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4FC5BD42-2CCF-4A96-AD8E-C83520ADB20F}MD5=922CD9F5F7320A813B0DAC1080EB7709,SHA256=346145F9100D8CA04CE7FC277D8775DF500D1FD1995F6CE28BBEEF685DFF04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.315{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4E171B62-A785-4231-B14E-626B192185F0}MD5=0796DDBF4C9B9D94DC5FD03E92485F28,SHA256=DBC10BA43AA770F1D3A36F7CAC2B50AE664804F28214B792E3C56266D7E8F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CC3BE49-DBA3-470D-94C8-20CE40F2BCAA}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CA8F3BE-4DEC-4028-BAEF-6491FC4270C3}MD5=68F587A5B93845BD54716A6C6C932688,SHA256=3A319B5FA81F068C11959C024D08DADF279A00CA5C6B8C3F574C4DB64822AD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4975E0B9-496B-4FF0-BC0E-1E06B22BDD96}MD5=C8B4FC8B8745BDE84005D690D3A026B2,SHA256=8779E3A2B6294AED675906209B8CD86FE1A79E0D3770AED38600278C29E6E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{48A82B41-50A4-42D7-B403-B5D5FC29426F}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3F7F98FC-AA70-447B-8115-EB5A44909800}MD5=F4AF1310D8D92B88BAB00ECA2F49C398,SHA256=3130C6EC89917106856DA972EA6157791A6F8DD405164F86B7EF73F849A158DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3A0E2E7D-9FED-42CB-8877-33CF7980ECDA}MD5=544AC2AEF10A0AAC6646D5D372CC839A,SHA256=E402AAF80000D1AE4C9C731B2D45E9E1D707C1F9ED0935EF065968C47306E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{38A89348-B3AE-479E-9816-8957D41F333A}MD5=7E65C5A57A575C58A5405595565EA22E,SHA256=9FA31C4A02F57CEF0DE517567F7D218DA51B530A387E6198F25B60967C43AEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.300{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{33E693A3-517A-4347-A45E-3E8F1A25B030}MD5=1A1A2950F1D4A9770DF78E6CD2BCACC2,SHA256=28EA58D31BC5379C5760FC79481AFFAD0E1A132AAC6C794D8C849D6BDED9AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.284{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3039DC32-E634-4F64-AD60-9038F8E7D74E}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.284{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{2D2370BB-9EFA-4648-B021-63A266D97A51}MD5=B590C6A1DBD4BAE99FED3744E0898536,SHA256=FEA47174536A406B031F040F394417218427405C4EB30558D6126A1AA79F6005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.284{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{24A5753E-C22E-49F4-BC08-F780BC6B1286}MD5=F3EFEAA4A73DB4D7D39C729FDE3305A7,SHA256=8C33FC0D66799635812F0F5F96B35C699ACAC5753DB1FFA89DA9520C81CAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.284{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1F6412A2-2B23-4074-A89D-9586B3CFBF11}MD5=9A987ABDC3B59D4D4E488190C758BC8A,SHA256=F9B1BF1FC533A009213B23911DBA90DF8E914BB93C458D7A86C89D8546AE1FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.268{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1CC42A14-06FE-4766-987D-39817BF3005F}MD5=3700764E031A12B2220A2C082EF7BBBE,SHA256=A772660D39E4150FB6017A0FDBDE096EB17128774678A018BFFEDCDB507101F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.268{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{19AC3423-5AC0-4CD7-9E2B-DB6C0DECE3C4}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.268{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{03152E59-DE8A-4AF5-8757-7FF15DC09A3C}MD5=25917526232EBDB7DE54634BFB5E6A33,SHA256=467251FCB3C564947AA615B69ECFC765763BBAA61B47CA13FD1895307E30125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.253{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=A98EF91236D0A680740A3C0F10937087,SHA256=660FDBEDE1BFFF4F5F322F2DD862445A2BE9101828A32013843E5F6E0320D804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.253{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=CDD4A14258DC43D22C37F1E721AEC245,SHA256=0D9E19723D9ED66DD13CB8657808963130BAD94249F03228CCC68BB32FC360C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\appcache[1].manMD5=9C09D8D73BB5BB4E83BE6D75D117BCDA,SHA256=F34BC09B3486A486AABF2BE3A3E6728A5FCD17821CAF41CFAC78CE85A63C6AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=F98851A644D901C32D1152CF001C2A30,SHA256=8A450F4631B7F451F470B7E7EF723A872C962749001C75AB1E9A01FC2765766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=5B7A3FBF6CE7627737B7AE8F7F73AF2B,SHA256=E5C8A584A8EF5082455DF1B7D986CDF9160F0A5AFA0EC6FD360EAAB9A1A8C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=FF638505C57813F0F9115CB2F853BC07,SHA256=18695997D547308B565AA0D9AC8FDF8981966A47AF431DCC943BCC882AB6ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.237{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=E68A5D04BF606560BDC326154A025956,SHA256=C32FBB255C914DA8336038933E799C5FEC8D50A0661B78DAB9E312131E7B7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=10D7D30E23DBC108EC78C03F9E741566,SHA256=99355DBE0DDE1F5390AF8BA6FEB736E85B00C13E8D08B560DFE2D7EC5465E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D20D4B52F55421E4F0EE293FA394F274,SHA256=6594DB803F6BEAC699E3B4FE1BFFF9F1A6C8B7D1CB43A9A92A7D6979EE62B9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=766B33AB225A94D22C45803D32D1D2C4,SHA256=8BF750226E7E4720AFCD86820D0752946ABB11DB79EF62AFFA61EEC941AB5C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=6B559E6B268CC53FC0293A706E970550,SHA256=9179C223831AE54A2A21E24B1BDBD1D06C00098FA2A664F476756CEFA56C71E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=87C5803AC86277335317BEEC5B252EF0,SHA256=8F7211EC0F4E0532DB653FECB4F605EB4C3C6C9879B138185DB4AAF7245646BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.222{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=1DE957E6ECB8E53F1849E98E56D5D8F8,SHA256=D60A1010C3D82CAABA7C755C3A6423D7A268BCDC9EA4F27B10E8E14FD84ACD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.206{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=A6A758B9A843A9AE35166154D051C654,SHA256=59BEC20EBDB4ABAD19803E90044333A5781C755A3DDC0663A4A95E88AA0F45DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.206{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=4EA6D9CCAE439451E3EDC69589C21F52,SHA256=115EE9EFD86B0AB505977609DBC1409CAD55275ED187667B37C1F7453406AA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.191{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=7F25769992DF13C241A1F14C72781B7F,SHA256=C3F1170A49C7EE2CF721D222FA1F766543D0F69BBCB35BFA2C64453025365DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.191{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D2ECB824C1EBD5CAD726A8FA730F83BD,SHA256=9BA9C472659B68EC59A470063958FCF4C1B9F95670B884F95FF690DA601CADA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=91784C62BBC0181E5D1A1939D62C7576,SHA256=7C5953F43236E76AD1EABF5FB4E75FDC98F73A7686BFF5C023843D16A53C2CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=E15FA9A83F9216A78A5E4AE2C2C08305,SHA256=65E0957B6D224D885497EE696AA97F94FE98D8BFBBD4F927508ABD645A4182BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=83CDB65FC5E3B9880848CA153945CD99,SHA256=E2E2AC74937053440DD9592C7CC1619F3290A042838C9922D69E1B5BFF985B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=94E8C0A2D77D4C6A4CC2AA5D6D71B3FC,SHA256=F0E0AA4CBFFAC78A340ADD726D7D94A090CE6D8E6DEFBC9673531B4E5053B05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=3F65ED27EE681BC5D4F69A5C271DB6A1,SHA256=63828079B72050681B6811C4AA76A79CF8FB5F51E04B1596DBD761007BFC829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:52.285{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF5C0677AACCBD0843AE3F3B9422395,SHA256=931BD5EFE900D0F333CAB8E007E465470143CD5B1872AF0CBADF1320FA536330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.987{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.972{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.956{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.940{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.925{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.909{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.893{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 10341000x800000000000000088602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.893{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6A7F70BB-CE4A-4FCD-92C7-8D0ACC9A4C01}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x800000000000000088592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.893{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{69B9E8F2-359A-4764-A014-7E783355BBF2}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x800000000000000088591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.893{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.878{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.878{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.847{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000088582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.847{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C9655923-4D14-4982-AC6D-8A1DFB85DCE8}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.847{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1D95297D-0AEA-4144-BE24-1BE3DC7BC266}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000088580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.847{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8650E57E-5A23-401E-873B-04DFC849457F}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000088578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.847{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8F2CB599-D65A-4636-85B1-909EC45216FE}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000088575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.847{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.831{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.815{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.800{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.784{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.753{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.753{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.722{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BD24D4282FCA83714CB32BF4A29078,SHA256=CBFA22826F49BFA0363CAEA77C0827A67E6F5483A0BBEBBDC4EC57B5B5663E20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.691{9531C931-513F-623C-6705-000000004302}21641492C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B345C4B2A03D5E87AF2D0535DB5CEFD7,SHA256=51BFDB933BBD7135E4A1053B467847239E752868101393CE3B2A2B6376B2D1A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.643{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.628{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.612{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000088489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.597{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D17A32FD-DCBF-4D5E-8E65-FDFD5184852F}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x800000000000000088488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.597{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0F7CC83F-0B54-473C-8BA3-CC2056848DFF}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 10341000x800000000000000088487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.597{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.581{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.565{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.550{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.534{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.503{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.503{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.503{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.487{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000088428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.472{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{1FE5A697-1E1B-479A-AA96-C57F264A2F0C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.472{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1228950B-5832-4DCF-AB0B-D0B8D49AC402}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x800000000000000088426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.472{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.472{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7179B1C9-8276-489C-BD7E-6067BCD87765}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000088424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.472{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E63CF035-7474-4E7E-A4C0-8E97D24E7489}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x800000000000000088423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.456{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66F044ACC3AE9404531B1BBE917DA3F,SHA256=BFE2B411B73D98E456B5A67537F24BE8F5F2C8AA149BEE354B77C82087135E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.440{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063562A8E4FC6A4D2616873F1F018093,SHA256=99A5C577DA7FC94B1B44EBFE7D6200EFB150676F182630F8FFC80EA721DB89EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.425{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5144-623C-7205-000000004302}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.378{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5144-623C-7205-000000004302}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.363{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5144-623C-7205-000000004302}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.160{9531C931-5144-623C-7205-000000004302}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000088356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.347{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 10341000x800000000000000088355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.347{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.347{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{FB98640F-282C-4908-ADF3-DE173AD7A4F7}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.347{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{475A1C6B-931C-4625-A01C-7B896C2AEE85}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000088352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.347{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{616F0DF4-FE38-49E7-B69D-2375B183999A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000088351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.347{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D0A002D0-2C62-4782-8F78-F096DCF12F4B}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 23542300x800000000000000088350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.269{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.237{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.222{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.212{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.190{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.175{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.143{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.143{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.143{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.128{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.097{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.081{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.065{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000088259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.034{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-2214540325-3392803530-572759246-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x800000000000000088258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.034{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{593BA8A3-5DB7-4428-AD64-BE4CBC156F6C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000088257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.034{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6176FD6F-01A8-43A5-AB84-3367D981A62E}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000088256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.034{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{29BFFFD8-854E-4541-A0DD-67DCBE0D8940}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000088255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:08:52.034{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{506F4AD0-12FD-435C-85CA-81049DE5C824}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 23542300x800000000000000088254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.018{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.003{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.003{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.003{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.003{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.003{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.987{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:52.163{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR61425- 354300x8000000000000000121074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:52.152{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR58861- 23542300x8000000000000000121073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:53.378{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737F59381F4B03411E76006F468805A1,SHA256=CAC5138D057448A27330B96E1A6CDF2F2C66697253ECF095397C75C63CED76ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.972{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.972{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.956{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.956{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.940{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.940{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.925{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.925{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms~RFa0401b.TMPMD5=6852E3A0BF1C01BB4DBFCB51C1A7C087,SHA256=74D6D8C58D0BEB0716EEECDC55366E193186924A616E057CD210F4104E5D85E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.911{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms~RFa0401b.TMPMD5=B9BD716DE6739E51C620F2086F9C31E4,SHA256=7116FF028244A01F3D17F1D3BC2E1506BC9999C2E40E388458F0CCCC4E117312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.911{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.893{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.878{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.847{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2022-03-24 11:08:53.847 10341000x800000000000000088766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.847{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.831{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.815{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.800{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.784{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2022-03-24 11:08:53.784 10341000x800000000000000088761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.784{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.768{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.768{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.753{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.737{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.722{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.706{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.690{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.597{9531C931-5145-623C-7305-000000004302}11521176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.378{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEEF0FFE475AF3349D066BB33AB3EFE,SHA256=EDBF2041EA068CED7D9415F8E07545947BB59C8BFD00431506DA8CF10AFF5466,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000088751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1042SetValue2022-03-24 11:08:53.378{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x800000000000000088750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.315{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028F6E2906A9FA81ADD3A758ED00F8A7,SHA256=1A7480BAF06599E29A7B79761811854D1884FA95080DA0119167094372CB1BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.300{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.300{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.284{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.284{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.284{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE1917698DBBB71FCD6570400009045,SHA256=06C2994F6908F6F83AD5198B7F569F4BAF0B9DCD8D8C729C7FD13FDEBAD00C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.268{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.268{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.268{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.268{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.253{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.253{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.237{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.237{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.237{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59899CCA98672C376C550C56AB9F7C0A,SHA256=848A809B5B6289CE6761739E090E6887DA63F0730DA2271F50C252D60ED9C627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000088734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000088733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000088732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000088731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5145-623C-7305-000000004302}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5145-623C-7305-000000004302}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.222{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5145-623C-7305-000000004302}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.068{9531C931-5145-623C-7305-000000004302}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000088723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.190{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.175{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.159{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.144{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.128{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.081{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.050{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2214540325-3392803530-572759246-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.034{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-513F-623C-6705-000000004302}2164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.018{9531C931-513F-623C-6705-000000004302}21644012C:\Windows\system32\svchost.exe{9531C931-513E-623C-6605-000000004302}780C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.003{9531C931-513F-623C-6705-000000004302}2164NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\MiracastView\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.972{9531C931-513E-623C-6505-000000004302}35884020C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.972{9531C931-513E-623C-6505-000000004302}35884020C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 23542300x800000000000000088848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.972{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E22BF852AC2BA8FD2FBA714055C7F434,SHA256=89872004D2E76EAD9F992F255F1DEF5E93E9398D50ADB71A97CE40C969BFFC11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.972{9531C931-513E-623C-6505-000000004302}35884020C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.956{9531C931-513E-623C-6505-000000004302}35884020C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.940{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.940{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.925{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.925{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:52.929{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:54.472{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D508EA0EA5BB80E8A65CF8D3AD3E6E1,SHA256=F757BD3064F1FA418835C2DCC9C89B4188B133409BCD5C192424357B34BA46A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.909{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.909{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.909{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.909{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.909{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.893{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.893{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.409{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.409{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.409{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.409{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.393{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.362{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.331{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.300{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.300{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460AEF41EDB28F649F84563124604F57,SHA256=3D98A03DF4EBB6F0633ED230F6B5CC6E109D7C7DA84E7C61B879113270D5DA91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.284{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.284{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000088819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.268{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000088818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.268{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.268{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.268{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.253{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.253{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.237{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.237{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.222{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.222{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A088381418847DEC427E0D6AC634FBC3,SHA256=6F358C572D7EE4F405F52BFDD7C347DDF2B0975F18951E558F75FA4D87494104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.222{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.206{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.190{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.190{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.175{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.175{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.159{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.144{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.144{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.128{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.112{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.112{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.097{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.097{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.097{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.097{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.097{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.081{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.065{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.065{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.050{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.050{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.034{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000088786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.137{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51754-false168.63.250.82-80http 354300x800000000000000088785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:51.951{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51753-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com80http 10341000x800000000000000088784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.018{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.018{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951429D36BDA7059BABDF29526F70AC8,SHA256=38B3CA6134B96BB1C3FAEEF253054DD4497BC4B4823D243769236B67B7DB6E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:54.005{9531C931-286C-623C-0B00-000000004302}6282284C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:53.712{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR52720- 354300x8000000000000000121080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:53.711{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR62074- 10341000x8000000000000000121079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:55.863{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:55.566{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD7B264F07E7759A2E96D8237258D1C,SHA256=DBE0FE7F6CEC5EBF2CB706620B6BC5D239B2635061AE0F6D398DA7C74398AE4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.409{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.393{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.393{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.237{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5147-623C-7505-000000004302}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.237{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.237{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.237{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.222{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.222{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5147-623C-7505-000000004302}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.222{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5147-623C-7505-000000004302}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.020{9531C931-5147-623C-7505-000000004302}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.144{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF633E063595575461D0A53B61F8C94B,SHA256=90EC682AC18810B502DACB6B62AF3C6C9AE1329A051E0D3E6A71F64ADA322A46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.704{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51757-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com80http 354300x800000000000000088854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.511{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51756-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com80http 354300x800000000000000088853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:52.319{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51755-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com80http 10341000x800000000000000088852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.003{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.003{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 23542300x8000000000000000121082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:56.664{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D5F690BAB996EAF7EA03EACA00A5F0,SHA256=0032C72BC03C8C0CC2BD0AF47EE55834510D160C63496A02ACBDE554114816BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.867{9531C931-5148-623C-7805-000000004302}43804384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.820{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2715D6DE80098CF980955FBB82B93EF1,SHA256=F78943A3867A1B9EF04AEA2BBB201D0620CB12C562849880DDA0CA1DCE6465E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D118D0B1341C6EB351E9E526BAAA45,SHA256=5AD8C34FB891AE1B27A6E424A7630C2ECC8454F666FBBBB2FDDA11A89E175AEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5148-623C-7805-000000004302}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5148-623C-7805-000000004302}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5148-623C-7805-000000004302}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.664{9531C931-5148-623C-7805-000000004302}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000088914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.507{9531C931-286E-623C-1400-000000004302}9522720C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.507{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.492{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.492{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.409{9531C931-5147-623C-7605-000000004302}42364240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000088907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000088906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-513D-623C-5D05-000000004302}9921892C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.284{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+41f51|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.253{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.206{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5147-623C-7605-000000004302}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5147-623C-7605-000000004302}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.159{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5147-623C-7605-000000004302}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.913{9531C931-5147-623C-7605-000000004302}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000088888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:53.771{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51758-false10.0.1.12-8000- 10341000x800000000000000088887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000088886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 18141800x800000000000000088885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:56.112{9531C931-513E-623C-6505-000000004302}3588\TDLN-3588-41C:\Windows\Explorer.EXE 17141700x800000000000000088884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-CreatePipe2022-03-24 11:08:56.112{9531C931-286E-623C-2400-000000004302}1140\TDLN-3588-41C:\Windows\system32\svchost.exe 10341000x800000000000000088883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000088882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.112{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.065{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.050{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:56.034{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:57.758{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58478AB2D25A05625ACFB6281B86D85,SHA256=7036B7A624DDBF40725008F3358C0C96B9D5F21F8CBDAFCE3124E71DF6FC22A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884288C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x800000000000000089023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884288C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x800000000000000089022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884464C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x800000000000000089019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884464C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x800000000000000089018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.976{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.961{9531C931-513E-623C-6505-000000004302}35884464C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000089001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.961{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.961{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.961{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000088998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.961{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000088997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.929{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000088994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000088993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000088992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000088991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.867{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.851{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.851{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.851{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.851{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.820{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf095|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000088982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.820{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf095|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000088981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.820{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.820{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.742{9531C931-5149-623C-7905-000000004302}44204424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.726{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.726{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-ConnectPipe2022-03-24 11:08:57.712{9531C931-5148-623C-7705-000000004302}4308\TDLN-4308-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x800000000000000088973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-CreatePipe2022-03-24 11:08:57.712{9531C931-286E-623C-2400-000000004302}1140\TDLN-4308-41C:\Windows\system32\svchost.exe 10341000x800000000000000088972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000088971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286E-623C-2400-000000004302}11403076C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000088970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.712{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.684{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.684{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.684{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.684{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.632{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000088959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000088958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000088957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000088954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf47b|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf47b|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf47b|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fd5ec|C:\Windows\System32\TwinUI.dll+ba684|C:\Windows\System32\TwinUI.dll+b63cb|C:\Windows\System32\TwinUI.dll+d668a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.617{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.601{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.601{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.601{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000088945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.601{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000088944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.586{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000088943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.586{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.586{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.586{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.586{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fd5ec|C:\Windows\System32\TwinUI.dll+ba684|C:\Windows\System32\TwinUI.dll+b63cb|C:\Windows\System32\TwinUI.dll+d668a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.570{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.570{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.570{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.570{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.570{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5149-623C-7905-000000004302}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5149-623C-7905-000000004302}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.398{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5149-623C-7905-000000004302}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.181{9531C931-5149-623C-7905-000000004302}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.101{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A993D4148657254B026EC38185EA0E0,SHA256=3DB23FF411C075DCE339C0687F739C0E353CDED264B9B59954BC9CE09FC7BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.976{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.976{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.867{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BEA9EEFB877A164931ACB6AE1DA786D,SHA256=3BDB81690118E22B2E2DEA6144CD910E03356B306149D6A61AFBCE54D4D5A62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.773{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.773{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.445{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554623C065353A6F3019F55C31B763F8,SHA256=1CF7DA620B6937181A221FA4DB371D2119E280D6831A093B3CB3E1A7986032F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x8000000000000000121086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:58.852{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B9A55A7104A5D2C75DBBAE571042A3,SHA256=26526D3C0BE379B2C224DE5FEECF2C1A1AE6AD03F7975719EEC28167630FAE72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:56.098{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR49204- 354300x8000000000000000121084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:56.024{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR59098- 10341000x800000000000000089086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564768C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564764C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.382{9531C931-513C-623C-5C05-000000004302}25564760C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.242{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.242{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000089078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074A065841AA007C06A29471EE430E43,SHA256=5716F36705C324FFB61E10036A17D3D81FFBDFDB7AA3634432532D5A836DD195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564700C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.226{9531C931-513C-623C-5C05-000000004302}25564696C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25561120C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564688C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25564688C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000089063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25563148C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.211{9531C931-513C-623C-5C05-000000004302}25563312C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 354300x800000000000000089061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.896{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51760-false93.184.220.29-80http 354300x800000000000000089060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:55.846{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51759-false20.190.159.64-443https 10341000x800000000000000089059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.195{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.195{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.086{9531C931-286D-623C-1100-000000004302}9321612C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.086{9531C931-286D-623C-1100-000000004302}9321612C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.086{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8D2EAB6142F8AC5E5C9DC629CEF076,SHA256=23A58C147B2559AAEBFFD69A17D3A592B335B58C25A8DF6BEFB2D480F2AF6A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.070{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2927406E2EB941D0C006A7319BCDFD90,SHA256=DBB2B773DDF8A31E6FCF4B507CE7D61BEE5895B182B1EC0385D6F89E7854839D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.054{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.054{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000089051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.054{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000089050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.054{9531C931-513D-623C-5D05-000000004302}9922160C:\Windows\system32\sihost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.039{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+41f51|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.039{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.039{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.023{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.023{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.023{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.023{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.023{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.007{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.007{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:58.007{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.992{9531C931-286D-623C-0C00-000000004302}7203384C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:59.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A13DFD9470AE8868ED3DA8556884F7,SHA256=ACC129ABEB9D0FEEB46847199B2D5CB582333128FC3B99B1DC99D828E9F778A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.922{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AD7DBCE3C508FDC555E3428028D140,SHA256=065D5F4D146A3F315A90D6912BCBFFC1C163820B80184CBC71D2111E140715A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.781{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.750{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.750{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.750{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.750{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.719{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4861B745C042BD2F357FAB2762C7DB2,SHA256=03F0F9F175AC7CE4DE5BE44015CBF3D4E32CD82F104452478E0F134E0E68B997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.632{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.601{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.586{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.570{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-514B-623C-7B05-000000004302}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-514B-623C-7B05-000000004302}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-514B-623C-7B05-000000004302}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.323{9531C931-514B-623C-7B05-000000004302}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000089128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5146-623C-7405-000000004302}1152C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5141-623C-6F05-000000004302}3924C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-6405-000000004302}4044C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.554{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-513C-623C-5B05-000000004302}2344C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.539{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+b8fc|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000089119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.507{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+c370|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.507{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 23542300x800000000000000089117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.351{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8FF1B0879F78C1788A51FFA8E24D72,SHA256=61BB65967D1CC11097F6B1ACE7CADBDB092AC048819DEC9AFBDCFA2DF833F8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.226{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.179{9531C931-513C-623C-5C05-000000004302}25564772C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.164{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf41e|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fd5ec|C:\Windows\System32\TwinUI.dll+ba684|C:\Windows\System32\TwinUI.dll+b63cb|C:\Windows\System32\TwinUI.dll+d668a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000089107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.414{9531C931-286E-623C-1400-000000004302}952C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51761-false20.190.159.64-443https 10341000x800000000000000089106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.148{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.132{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.132{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.132{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.101{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f830|C:\Windows\System32\execmodelclient.dll+1e079|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f8ac|C:\Windows\System32\execmodelclient.dll+1e05b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87 10341000x800000000000000089326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.987{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA17E6C23B957BE311BD7C21F221D880,SHA256=B6BD9128E8DF11231527CF5C1E2BA6E152409CC1055A3A7C75C4E194571F7393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000089319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.971{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000089318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.956{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D845CE5D017D8D6AF701A88CBF3831,SHA256=34DF79959F0E71683CBD2BD41AEDCED63F834E9081193674CC483879ECD560AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.862{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2022-03-24 11:09:00.862 23542300x800000000000000089311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.862{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.862{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2022-03-24 11:09:00.862 10341000x800000000000000089309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.862{9531C931-286E-623C-1500-000000004302}1040108C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000089308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.862{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.815{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.800{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.784{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.768{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.768{9531C931-513E-623C-6605-000000004302}7803780C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.768{9531C931-513E-623C-6605-000000004302}7803912C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.768{9531C931-513E-623C-6605-000000004302}7803912C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.768{9531C931-513E-623C-6605-000000004302}7803912C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 23542300x800000000000000089299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.753{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.737{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-513E-623C-6605-000000004302}7803912C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc 10341000x800000000000000089295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.721{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 11241100x800000000000000089288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2022-03-24 11:09:00.706 10341000x800000000000000089287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000089285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1493a6|C:\Windows\System32\TwinUI.dll+82cf7|C:\Windows\System32\TwinUI.dll+183ed3|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1493a6|C:\Windows\System32\TwinUI.dll+82cf7|C:\Windows\System32\TwinUI.dll+183ed3|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2022-03-24 11:09:00.706 10341000x800000000000000089281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.706{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+bf107|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 11241100x800000000000000089279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.690{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2022-03-24 11:09:00.690 23542300x800000000000000089278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.690{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.690{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2022-03-24 11:09:00.690 10341000x800000000000000089276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.643{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.628{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.628{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.628{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.534{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2022-03-24 11:09:00.518 23542300x800000000000000089271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.534{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.534{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2022-03-24 11:09:00.518 11241100x800000000000000089269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2022-03-24 11:09:00.518 23542300x800000000000000089268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2022-03-24 11:09:00.518 11241100x800000000000000089266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2022-03-24 11:09:00.518 23542300x800000000000000089265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2022-03-24 11:09:00.518 11241100x800000000000000089263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2022-03-24 11:09:00.518 23542300x800000000000000089262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2022-03-24 11:09:00.518 11241100x800000000000000089260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2022-03-24 11:09:00.518 23542300x800000000000000089259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.518{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2022-03-24 11:09:00.518 11241100x800000000000000089257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2022-03-24 11:09:00.503 23542300x800000000000000089256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2022-03-24 11:09:00.503 11241100x800000000000000089254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2022-03-24 11:09:00.503 23542300x800000000000000089253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2022-03-24 11:09:00.503 11241100x800000000000000089251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2022-03-24 11:09:00.503 23542300x800000000000000089250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.503{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2022-03-24 11:09:00.503 11241100x800000000000000089248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2022-03-24 11:09:00.487 23542300x800000000000000089247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2022-03-24 11:09:00.487 11241100x800000000000000089245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2022-03-24 11:09:00.487 23542300x800000000000000089244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2022-03-24 11:09:00.487 11241100x800000000000000089242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2022-03-24 11:09:00.487 23542300x800000000000000089241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2022-03-24 11:09:00.487 11241100x800000000000000089239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2022-03-24 11:09:00.487 23542300x800000000000000089238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.487{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2022-03-24 11:09:00.487 11241100x800000000000000089236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2022-03-24 11:09:00.471 23542300x800000000000000089235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2022-03-24 11:09:00.471 11241100x800000000000000089233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2022-03-24 11:09:00.471 23542300x800000000000000089232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2022-03-24 11:09:00.471 11241100x800000000000000089230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2022-03-24 11:09:00.456 23542300x800000000000000089229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.471{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2022-03-24 11:09:00.456 11241100x800000000000000089227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.456{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2022-03-24 11:09:00.456 23542300x800000000000000089226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.456{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.456{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2022-03-24 11:09:00.456 10341000x800000000000000089224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000089218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.393{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 354300x8000000000000000121090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:57.871{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR64569- 354300x8000000000000000121089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:57.780{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR63177- 354300x8000000000000000121088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:57.780{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR58984- 23542300x800000000000000089217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.299{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DD09ACF7B74911D448C0866018B52,SHA256=57F9848526A615E09F7C5AF875C3BCFBD4E4FEDB8AD4541818B4CD541EF69835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.284{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.284{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 354300x800000000000000089214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:57.684{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51762-false20.199.120.182-443https 10341000x800000000000000089213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.206{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.206{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.200{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.196{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.196{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.196{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.196{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.196{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.195{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+424dd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.194{9531C931-514C-623C-7C05-000000004302}4948C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -EmbeddingC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-286D-623C-0C00-000000004302}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000089203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.194{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-169MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000089202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:00.172{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000089201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.141{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+14e60|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 23542300x800000000000000089200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:00.094{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4FC3C50EB0CB2E674326A3E12F957276,SHA256=B726E0C53A86EEEB86D0310B8500C102E8820F27D2E34338A42472A3D52BF937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.973{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.955{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.939{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.924{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.908{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.892{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.892{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.892{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.892{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.878{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.862{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.862{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.862{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.862{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.846{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.831{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.831{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.814{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.576{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.576{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.527{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.465{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.465{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.465{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.387{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.387{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 23542300x800000000000000089379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.387{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD63F4EA916B0A4621B21962F74AD6A,SHA256=D006A42E5E35278997167A0A530052B6D53EE34682FA4E02AEEB47CE0F9F3C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.356{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.341{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.341{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.324{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6918BD567DF889FED769ABEB66C63D3B,SHA256=F69FE085DB0497839F062090E5851758855E34046E308577F26816E77D3E1315,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:58.871{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:01.039{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C990A5408DC281300B3431EF8959B1,SHA256=8AFC35EF7E358F3C75DE73A7F45AE5731C92902F8664995FAD5CC24800C6536E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.199{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.195{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.194{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.174{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.174{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2022-03-24 11:09:01.159 23542300x800000000000000089368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2022-03-24 11:09:01.159 10341000x800000000000000089366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.159{9531C931-513D-623C-5D05-000000004302}9921680C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000089360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.143{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.143{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000089353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b14b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.128{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.096{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.096{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.082{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.082{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.067{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.067{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.050{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.050{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.018{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.018{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2022-03-24 11:09:01.018 23542300x800000000000000089335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.018{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.018{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.018{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2022-03-24 11:09:01.018 10341000x800000000000000090080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000090079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.972{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000090027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000090019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.955{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.940{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.877{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.861{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.861{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.861{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.861{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.861{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.846{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.799{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.799{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.658{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000089941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.658{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000089940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.642{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000089939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.642{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 13241300x800000000000000089938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:02.611{9531C931-513C-623C-5C05-000000004302}2556C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000089937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564856C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564856C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.596{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000089896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326 10341000x800000000000000089894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564640C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564640C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.580{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-286E-623C-1600-000000004302}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 23542300x800000000000000089866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F69EC251928DB79C82875CE3B6A1C59,SHA256=5F73D4B6D4E753D0C3AB38B438826BF1880373775B939A3DC9B3B2E07A28C649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 23542300x800000000000000089859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BEF016717CE0DDC504DDE0C899035D,SHA256=939C5DC055DC317CDF0682247707381C57C2F779711CF34BFA2F3F88AA4C3100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.564{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564444C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25563608C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25563608C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564944C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564944C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25565036C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25565036C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25565092C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000089837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562820C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562820C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564904C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25563244C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564904C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25563244C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}2556808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25565092C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326 10341000x800000000000000089826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}2556808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}2556732C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}2556732C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564908C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564908C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564112C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564112C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25561124C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25561124C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564952C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564952C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562796C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562796C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564984C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564984C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562488C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25562488C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564960C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564960C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564660C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564956C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.549{9531C931-513C-623C-5C05-000000004302}25564956C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564660C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564908C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563320C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564908C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563320C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564436C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564436C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563652C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25563652C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564432C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564432C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564680C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564412C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564680C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564412C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564416C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564416C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564440C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564424C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564424C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564440C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564248C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564248C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564380C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564380C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564396C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564396C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-514E-623C-7D05-000000004302}4236C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25561840C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564232C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564140C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564140C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564136C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.535{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564300C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}2556740C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564140C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564140C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564804C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564804C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+f00d6|C:\Windows\System32\windows.storage.dll+f1a38|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000089709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564808C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564976C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5d0d0|C:\Windows\System32\windows.storage.dll+6c0b4|C:\Windows\System32\windows.storage.dll+178deb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37e6f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada 10341000x800000000000000089703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564704C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564780C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564800C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.517{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.502{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000089691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.502{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.439{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12bdab|C:\Windows\System32\windows.storage.dll+12dc83|C:\Windows\System32\windows.storage.dll+12bcbc|C:\Windows\System32\windows.storage.dll+12f431|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000089689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.439{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12bd48|C:\Windows\System32\windows.storage.dll+12dc64|C:\Windows\System32\windows.storage.dll+12bcbc|C:\Windows\System32\windows.storage.dll+12f431|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000089688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.439{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12cecb|C:\Windows\System32\windows.storage.dll+12c3a5|C:\Windows\System32\windows.storage.dll+12c182|C:\Windows\System32\windows.storage.dll+12f3ea|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000089687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.439{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf2c|C:\Windows\System32\windows.storage.dll+e5c29|C:\Windows\System32\windows.storage.dll+e5db4|C:\Windows\System32\windows.storage.dll+61676|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000089686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.424{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+60ef0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.424{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf9b|C:\Windows\System32\windows.storage.dll+5fc02|C:\Windows\System32\windows.storage.dll+601f8|C:\Windows\System32\windows.storage.dll+19f983|C:\Windows\System32\windows.storage.dll+60ed5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000089684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.424{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+605c3|C:\Windows\System32\windows.storage.dll+19fa88|C:\Windows\System32\windows.storage.dll+19f969|C:\Windows\System32\windows.storage.dll+60ed5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000089683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.424{9531C931-513C-623C-5C05-000000004302}25564812C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf2c|C:\Windows\System32\windows.storage.dll+e5c29|C:\Windows\System32\windows.storage.dll+e5db4|C:\Windows\System32\windows.storage.dll+61676|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 11241100x800000000000000089682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.408{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.2.filtertrie.intermediate.txt2022-03-24 11:09:02.408 11241100x800000000000000089681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.408{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.1.filtertrie.intermediate.txt2022-03-24 11:09:02.408 11241100x800000000000000089680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.408{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.0.filtertrie.intermediate.txt2022-03-24 11:09:02.408 354300x800000000000000089679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:08:59.707{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51763-false10.0.1.12-8000- 11241100x800000000000000089678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.361{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x800000000000000089677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.361{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\appssynonyms.txtMD5=0159FA2FCDF8F84DB30198B1B3F95415,SHA256=4123D6B7736C9764973415C8F03F58E76FB2FB0A08E8F55CE9165C0C631C955E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000089675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\settingssynonyms.txt2022-03-24 11:09:02.283 11241100x800000000000000089673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\appssynonyms.txt2022-03-24 11:09:02.283 11241100x800000000000000089672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\settingsconversions.txt2022-03-24 11:09:02.283 11241100x800000000000000089671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\appsconversions.txt2022-03-24 11:09:02.283 11241100x800000000000000089670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.267{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\settingsglobals.txt2022-03-24 11:09:02.267 11241100x800000000000000089669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.267{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\appsglobals.txt2022-03-24 11:09:02.267 11241100x800000000000000089668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.220{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132925937409660068.txt2022-03-24 11:09:02.220 10341000x800000000000000089667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.220{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000089666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.205{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.158{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.142{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.128{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.111{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.095{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.080{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000121102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-514E-623C-EC05-000000004202}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-514E-623C-EC05-000000004202}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.633{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-514E-623C-EC05-000000004202}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.635{5F3DCEF0-514E-623C-EC05-000000004202}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000121094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:08:59.833{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR61248- 23542300x8000000000000000121093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:02.133{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A83CC9108A2E1C9AEB418A32547C922,SHA256=B23390B2E422F0A45942B0F53F18B3880AC9C8BC12F5BF69F05436A1FF47CA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.064{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+1a92a1|C:\Windows\System32\TwinUI.dll+bf499|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+1a92a1|C:\Windows\System32\TwinUI.dll+bf499|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bea54|C:\Windows\System32\TwinUI.dll+1a92a1|C:\Windows\System32\TwinUI.dll+bf499|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf47b|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be638|C:\Windows\System32\TwinUI.dll+be89a|C:\Windows\System32\TwinUI.dll+bf47b|C:\Windows\System32\TwinUI.dll+bf402|C:\Windows\System32\TwinUI.dll+10acd3|C:\Windows\System32\TwinUI.dll+10b943|C:\Windows\System32\TwinUI.dll+10c487|C:\Windows\System32\TwinUI.dll+d66a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.034{9531C931-513E-623C-6505-000000004302}35884116C:\Windows\Explorer.EXE{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fd5ec|C:\Windows\System32\TwinUI.dll+ba684|C:\Windows\System32\TwinUI.dll+b63cb|C:\Windows\System32\TwinUI.dll+d668a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.034{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.034{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:02.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000089465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:01.986{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x800000000000000090341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.892{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.424{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED25AF1AEDADAA0AA6FE20EA917A2BE,SHA256=499253CB32ACB5ABD04328A70CED6B5179B6F530094DEBD13D0FD5F08470C90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.361{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 10341000x800000000000000090338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.361{9531C931-513C-623C-5C05-000000004302}25564900C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000090337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+103441|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+103441|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+103441|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+103441|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ace9a|C:\Windows\System32\SHELL32.dll+ddff2|C:\Windows\System32\SHELL32.dll+e75ca|C:\Windows\System32\windows.storage.dll+1572dd|C:\Windows\System32\windows.storage.dll+156f23|C:\Windows\System32\windows.storage.dll+103260|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+ace04|C:\Windows\System32\SHELL32.dll+ddff2|C:\Windows\System32\SHELL32.dll+e75ca|C:\Windows\System32\windows.storage.dll+1572dd|C:\Windows\System32\windows.storage.dll+156f23|C:\Windows\System32\windows.storage.dll+103260|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+acde6|C:\Windows\System32\SHELL32.dll+ddff2|C:\Windows\System32\SHELL32.dll+e75ca|C:\Windows\System32\windows.storage.dll+1572dd|C:\Windows\System32\windows.storage.dll+156f23|C:\Windows\System32\windows.storage.dll+103260|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+acde6|C:\Windows\System32\SHELL32.dll+ddff2|C:\Windows\System32\SHELL32.dll+e75ca|C:\Windows\System32\windows.storage.dll+1572dd|C:\Windows\System32\windows.storage.dll+156f23|C:\Windows\System32\windows.storage.dll+103260|C:\Windows\System32\windows.storage.dll+102f3a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104068|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104068|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104068|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104068|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104045|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104045|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104045|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+104045|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+106810|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+106810|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+106810|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519 10341000x800000000000000090318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+106810|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10a42f|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10a42f|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10a42f|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10a42f|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10aa86|C:\Windows\System32\windows.storage.dll+10a40b|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10aa86|C:\Windows\System32\windows.storage.dll+10a40b|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10aa86|C:\Windows\System32\windows.storage.dll+10a40b|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0 10341000x800000000000000090310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+10aa86|C:\Windows\System32\windows.storage.dll+10a40b|C:\Windows\System32\windows.storage.dll+10776d|C:\Windows\System32\windows.storage.dll+10855d|C:\Windows\System32\windows.storage.dll+1066da|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\Apps.indexMD5=8E91EDC4F4BC95A9B5A514EEBAAD0940,SHA256=E8C606A2EBC6C855A56CA3E9A6F16A6B79753CE1CCA67DAC005585A31A4DA211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.345{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\Apps.ftMD5=33FB5A2F023F0AEE2E5081C4020A974E,SHA256=8811D15B3676A9AD1CE4EF00541353E03C70BB3080A121C41784A42A73B77DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\Apps.dataMD5=A4D7E2FE51DDCE4010FE778CE70DC3F6,SHA256=AEF57712BB4C259E9D0144DF3B625206E118574A0F1DA185485E2E4FA30EC1DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 10341000x800000000000000090261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+1096d4|C:\Windows\System32\windows.storage.dll+19adbe|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c 10341000x800000000000000090260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1 10341000x800000000000000090258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe 10341000x800000000000000090257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+1414b3|C:\Windows\System32\windows.storage.dll+141339|C:\Windows\System32\windows.storage.dll+19cffa|C:\Windows\System32\windows.storage.dll+10a517|C:\Windows\System32\windows.storage.dll+19ad79|C:\Windows\System32\windows.storage.dll+1071e3|C:\Windows\System32\windows.storage.dll+106c10|C:\Windows\System32\windows.storage.dll+106652|C:\Windows\System32\windows.storage.dll+106445|C:\Windows\System32\windows.storage.dll+1068bb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175 23542300x800000000000000090256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.330{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0f425d36-ec0d-49ae-b068-934128ab89ba}\0.0.filtertrie.intermediate.txtMD5=F9086C5990DAE6A482CF2A456DD6D811,SHA256=44882AB685CBF6C771BDAB2E10BF5A0C9129CDB2D45AC143A5D7BBF2A4A6D32E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519 10341000x800000000000000090252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+1019ce|C:\Windows\System32\windows.storage.dll+1041c8|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104184|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104184|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104184|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141b87|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104184|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141af2|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141ad7|C:\Windows\System32\windows.storage.dll+141161|C:\Windows\System32\windows.storage.dll+14108c|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171196|C:\Windows\System32\windows.storage.dll+14140c|C:\Windows\System32\windows.storage.dll+141049|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171184|C:\Windows\System32\windows.storage.dll+14140c|C:\Windows\System32\windows.storage.dll+141049|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.314{9531C931-513C-623C-5C05-000000004302}25564100C:\Windows\System32\RuntimeBroker.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171184|C:\Windows\System32\windows.storage.dll+14140c|C:\Windows\System32\windows.storage.dll+141049|C:\Windows\System32\windows.storage.dll+10431b|C:\Windows\System32\windows.storage.dll+1042b1|C:\Windows\System32\windows.storage.dll+104163|C:\Windows\System32\windows.storage.dll+103cad|C:\Windows\System32\windows.storage.dll+102f2a|C:\Windows\System32\windows.storage.dll+1563fe|C:\Windows\System32\windows.storage.dll+156175|C:\Windows\System32\windows.storage.dll+6665c|C:\Windows\System32\windows.storage.dll+667b0|C:\Windows\System32\windows.storage.dll+e92a1|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12bdab|C:\Windows\System32\windows.storage.dll+12dc83|C:\Windows\System32\windows.storage.dll+12bcbc|C:\Windows\System32\windows.storage.dll+12f431|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000090239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12bd48|C:\Windows\System32\windows.storage.dll+12dc64|C:\Windows\System32\windows.storage.dll+12bcbc|C:\Windows\System32\windows.storage.dll+12f431|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000090238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+12cecb|C:\Windows\System32\windows.storage.dll+12c3a5|C:\Windows\System32\windows.storage.dll+12c182|C:\Windows\System32\windows.storage.dll+12f3ea|C:\Windows\System32\windows.storage.dll+12e70c|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000090237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf2c|C:\Windows\System32\windows.storage.dll+e5c29|C:\Windows\System32\windows.storage.dll+e5db4|C:\Windows\System32\windows.storage.dll+61676|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x800000000000000090236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+60ef0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c|C:\Windows\System32\windows.storage.dll+e8b32|C:\Windows\System32\windows.storage.dll+e6519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf9b|C:\Windows\System32\windows.storage.dll+5fc02|C:\Windows\System32\windows.storage.dll+601f8|C:\Windows\System32\windows.storage.dll+19f983|C:\Windows\System32\windows.storage.dll+60ed5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c 10341000x800000000000000090234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25565116C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+605c3|C:\Windows\System32\windows.storage.dll+19fa88|C:\Windows\System32\windows.storage.dll+19f969|C:\Windows\System32\windows.storage.dll+60ed5|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e912c|C:\Windows\System32\windows.storage.dll+e8b32 10341000x800000000000000090233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.299{9531C931-513C-623C-5C05-000000004302}25564892C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.storage.dll+5d231|C:\Windows\System32\windows.storage.dll+5cf2c|C:\Windows\System32\windows.storage.dll+e5c29|C:\Windows\System32\windows.storage.dll+e5db4|C:\Windows\System32\windows.storage.dll+61676|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 11241100x800000000000000090232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cf53afc-6b6b-499c-9cc9-56c720b10a48}\0.2.filtertrie.intermediate.txt2022-03-24 11:09:03.283 11241100x800000000000000090231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.283{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cf53afc-6b6b-499c-9cc9-56c720b10a48}\0.1.filtertrie.intermediate.txt2022-03-24 11:09:03.283 11241100x800000000000000090230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.267{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cf53afc-6b6b-499c-9cc9-56c720b10a48}\0.0.filtertrie.intermediate.txt2022-03-24 11:09:03.267 11241100x800000000000000090229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.220{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x800000000000000090228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.220{9531C931-5149-623C-7A05-000000004302}4508WIN-HOST-TCONTR\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b9f66cc3-b4b7-41f4-bfdc-98e043db1abc}\Appssynonyms.txtMD5=8A41CAEE351680558FE7C3E08E7F3330,SHA256=1F0DBC7090F72659E30FB10BC3452A216FE76CC854EA3345CEE6F9358717324B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.111{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000090226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.111{9531C931-513E-623C-6505-000000004302}35881956C:\Windows\Explorer.EXE{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802052DCB58)|UNKNOWN(FFFFF693D44A5B88)|UNKNOWN(FFFFF693D44A5D07)|UNKNOWN(FFFFF693D44A0391)|UNKNOWN(FFFFF693D44A1D5A)|UNKNOWN(FFFFF693D44A0016)|UNKNOWN(FFFFF80204FF2503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000090225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.095{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132925937428683167.txt2022-03-24 11:09:03.095 10341000x800000000000000090224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.049{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.033{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.017{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x800000000000000090103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000090101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:03.002{9531C931-513C-623C-5C05-000000004302}25564684C:\Windows\System32\RuntimeBroker.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.743{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C73B10BC155F3A20C158658B6B50244,SHA256=364A2E0A1D5510DF43517D2D74DB39640D311DEED54FEDCE732917BC804AFE9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-514F-623C-ED05-000000004202}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-514F-623C-ED05-000000004202}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.508{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-514F-623C-ED05-000000004202}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.509{5F3DCEF0-514F-623C-ED05-000000004202}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:03.227{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0752D25EA4C1278A13CDD8685E3D39BE,SHA256=07C342DD13AC62480442A16CCA8800286DE49BBA7F13469EEACFBF1992BFAB98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:04.689{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:04.674{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:04.674{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+424dd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:04.299{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26A4180B1F245766C2FADFE860403B88,SHA256=1EFFFE14050231F4059548809588DA56B10FE7F02D2A651207CA241ED2FA38BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.368{5F3DCEF0-5150-623C-EE05-000000004202}10086532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.321{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9782C1A6116B9BB867385A42B8FF179C,SHA256=94E1C31E62759FF06D8A7C3034F2DBB8B8DF0CB51BDEF0EF4AE194FD998801BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5150-623C-EE05-000000004202}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-5150-623C-EE05-000000004202}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.180{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5150-623C-EE05-000000004202}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.181{5F3DCEF0-5150-623C-EE05-000000004202}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:05.111{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:05.111{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:05.064{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:05.064{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:05.017{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5150-623C-7E05-000000004302}5388C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:05.836{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=824157B1B525DEBC9762A25D8D687D46,SHA256=196B666F98BC3F4F0FAA34CCB35B9AEDA702E6BF5B6F370778FF3B3F0A8A8C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:05.414{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43D599B5665195F401337B73F2DAF03,SHA256=443A62C856FD3C45FC4171E538136D1C8A79FE11EA95242B58F03A6C5A32E8C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.580{9531C931-286E-623C-2400-000000004302}11404576C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000090359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.580{9531C931-286E-623C-2400-000000004302}11404576C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54139|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a 10341000x800000000000000090358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.564{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.564{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.549{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.549{9531C931-286D-623C-0C00-000000004302}7204628C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.549{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.549{9531C931-286D-623C-0C00-000000004302}7202560C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 354300x800000000000000090352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:04.739{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51764-false10.0.1.12-8000- 23542300x800000000000000090351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:06.142{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2645B647FD09BE6D74B33DDBEA12D7C,SHA256=9424351578CAF8E0011D5CACEB0C2FBAF77286A2AD12DC3FC1E893EBD70230E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:06.508{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74DB8C52E8DDAA3E88F815E142A5AAC,SHA256=C7485227F507F3F67C5E8B3D54BFB0CB64885B61EEF4FD2F0FF9488E378F5F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:04.841{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:07.174{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6E39B56C239A5AE0BAE02D415CC44,SHA256=1A3C77DB27EFD149ECCBBC0B6F19D5ED319E4252A87B85597CD1946F9E089BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:07.064{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0912268FCF671DE2D85FBDFA102B51D2,SHA256=DE13E6D59E63B4280CDE5E3F6D6DE9120A188C96D16BDC04604FDFCD4B11ABE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:07.064{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C6BC8198291B491B5E09767751F9C0,SHA256=B5EF043D6E703EC3301E45E04C735BE667811AB6A3F6EE0F4A47544ACC4144DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.602{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43F0AFF2FEB2A2571F1C47BE0331297,SHA256=736957E43EEBB2E7318C6A16318DF033AB7BB166916B5D35D745B6D08220F7CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:05.934{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63406-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:05.934{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63406-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000121135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.243{5F3DCEF0-5153-623C-EF05-000000004202}60323444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5153-623C-EF05-000000004202}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5153-623C-EF05-000000004202}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.086{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5153-623C-EF05-000000004202}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:07.087{5F3DCEF0-5153-623C-EF05-000000004202}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:08.267{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5181977062CABD6B0FDCE90BD45DA495,SHA256=8FE75936554974CA0009E82C252B7449357899A90E0E50EC0D0FD3E806671A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.977{5F3DCEF0-5154-623C-F105-000000004202}31844980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5154-623C-F105-000000004202}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5154-623C-F105-000000004202}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.774{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5154-623C-F105-000000004202}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.775{5F3DCEF0-5154-623C-F105-000000004202}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.696{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA19DB138B93BB61C6417A95D130B6FF,SHA256=9D11AFDA878EEC29DD4B220909E75C21D5BF83967110C7C35DB80C4B8028EBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.461{5F3DCEF0-5154-623C-F005-000000004202}42964392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5154-623C-F005-000000004202}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5154-623C-F005-000000004202}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.258{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5154-623C-F005-000000004202}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:08.259{5F3DCEF0-5154-623C-F005-000000004202}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.789{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A048D7212D97A2BEAA6C5F39F8DADC,SHA256=73F4AF90A092834303AB2596A843AD6361CE265C6E94B8E9D87B5CE628DB0928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:09.361{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4908A3EA22130EBD64BDEE498D72074,SHA256=4A537B66CA09A1801AB0D575475AEC947F1FE4C43A979FCD391C182BDFBBB4F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5155-623C-F205-000000004202}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-5155-623C-F205-000000004202}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.399{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5155-623C-F205-000000004202}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.400{5F3DCEF0-5155-623C-F205-000000004202}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:09.321{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035F83A7FB61ACF0401244A528FAFBB6,SHA256=CA18ABA23F6C303F6677548BD426A219FB774BA57510BA4296A3790FA4028499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:10.883{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E068CB0E451BAEC7FE89E87B73D3DC,SHA256=FBEFF2DF64536C01B390AE6701FF1137E65D6D5E127F2402005DCF0A087CD18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:10.455{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF93F5B246D170B963C2182EB47D3F1,SHA256=06611915A94C7099B6E7A5CC862F800C5BC9CD497B3CAE1CD0821C62787DD38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:11.977{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3676526EA7B1F93A5E7C9B901CBF1DD,SHA256=54E86C4C361522318469DF0CAB3C26AB0E8F18E4D0C0649B2BD6CF5A839CF4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:11.549{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7093F35802729548DE5742A5D9D767,SHA256=90B3F2FB41A5CADB338FEAA4FBC2D1A7176913CC038B60A85DF4539196001E97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.924{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5158-623C-8005-000000004302}5504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.908{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5158-623C-8005-000000004302}5504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.814{9531C931-513E-623C-6505-000000004302}35885336C:\Windows\Explorer.EXE{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.814{9531C931-513E-623C-6505-000000004302}35885336C:\Windows\Explorer.EXE{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.814{9531C931-513E-623C-6505-000000004302}35885336C:\Windows\Explorer.EXE{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.814{9531C931-513E-623C-6505-000000004302}35885336C:\Windows\Explorer.EXE{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.767{9531C931-286E-623C-1400-000000004302}9523044C:\Windows\system32\svchost.exe{9531C931-5158-623C-8005-000000004302}5504C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.767{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5158-623C-8005-000000004302}5504C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.752{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.689{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5158-623C-8005-000000004302}5504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.674{9531C931-513E-623C-6505-000000004302}35885332C:\Windows\Explorer.EXE{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000090370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.673{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000090369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:12.642{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F243CC8E29FE7E6F3A7388ABDE784D,SHA256=A375700232CD24934F1F9DD58D4C65E0C18C9164DCFE1264D80DAB69B156EDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:10.840{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000090368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:10.754{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51765-false10.0.1.12-8000- 10341000x800000000000000090405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.674{9531C931-513D-623C-5D05-000000004302}9921892C:\Windows\system32\sihost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.658{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.658{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.658{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000090396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.658{9531C931-513D-623C-5D05-000000004302}9921892C:\Windows\system32\sihost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:13.278{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-169MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:13.073{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433A146F7D524E05719F8A310063A911,SHA256=2E8B4350DC430FB74ED244F93009DDF395BB5D3C7CF21BF9464BD18817B64C84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.408{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.127{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.095{9531C931-5158-623C-7F05-000000004302}54965500C:\Windows\system32\cmd.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:13.091{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x800000000000000090418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+ace9a|C:\Windows\System32\shell32.dll+ddff2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+ace04|C:\Windows\System32\shell32.dll+ddff2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+acde6|C:\Windows\System32\shell32.dll+ddff2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+acde6|C:\Windows\System32\shell32.dll+ddff2|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+491ca|C:\Windows\System32\shell32.dll+de2c4|C:\Windows\System32\shell32.dll+ddf18|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+491b8|C:\Windows\System32\shell32.dll+de2c4|C:\Windows\System32\shell32.dll+ddf18|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.941{9531C931-5141-623C-6F05-000000004302}39243572C:\Windows\system32\rundll32.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+491b8|C:\Windows\System32\shell32.dll+de2c4|C:\Windows\System32\shell32.dll+ddf18|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.691{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DFBDE3638C0C33A57567724D25994D,SHA256=270D1B9BE6D901BC0025C241A795BA1C8025F529D66BBF2398C09EA0E27B7AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:14.292{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:14.151{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A1ADDE6CF4BB5CF60690191635C02A,SHA256=A082703C17E496B6C8A7CE2979134B5A716F9B0FC31B76920126E353F14DA144,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.596{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_lzkzlamx.5bu.ps12022-03-24 11:09:14.596 10341000x800000000000000090409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.502{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.486{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.050{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B90AC88384ACE427D80AC9E4B7E4C7,SHA256=2248E0DD409ADF400B83E1A93C811CE4B0519269F814D59494C1B57A99720BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:14.050{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07779A267AA924F2E64A66562A434464,SHA256=D8DE4F562EF6199D5C01DFF93F9D68BF9AEB457122E573954D11A0F63A6EABA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.986{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.986{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.908{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.908{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.799{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D11776A8DEE63C49B750BF38427963D,SHA256=1A4DD2F567CDD8E828B1534794D06E8FE82AACDA641129917A31221C9AE58507,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000090428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-CreatePipe2022-03-24 11:09:15.736{9531C931-5159-623C-8105-000000004302}5544\PSHost.132925937530913100.5544.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000090427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.720{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.720{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:15.246{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E40DBFBE4310429D6CD7363AD32429E,SHA256=D8FDE0D63ADF560CBAD75D6E50C008B67DD0562CA48C8D989E17BF9810D82323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.551{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.551{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FAB5006D371F5E2017BEEF2E4D3DAD80,SHA256=01A289A7C638D0154FFFE53CD05A0E918BDDB3208F201E18FA3314E629737852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.533{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.518{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.518{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-515B-623C-8205-000000004302}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.189{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_keum32lv.uwy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.175{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_lzkzlamx.5bu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:16.965{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=564956CFE2330A84BC58E72E0FCCDB5B,SHA256=D174CA2EEC9B85073FD27FFC632F540C5E75D21D851B18EE9597CC79AA86040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:16.965{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61346D607A894179D2EE948386D1AF86,SHA256=7610B9E09050080B19C6C8C975FE1EB6DC9F56B6A40396C670DE7258F6F6D289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:16.340{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7352EDDD4A850A0BB2479FCC0F82B7F1,SHA256=8751215E9516BD4904209708CECEB75E6659B5AE81667F6B6959AEF0C536105A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:15.969{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:17.435{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1BB5A087C9E93947039ACF9BDF06C9,SHA256=9B0BD9385963748CC100613A8D9B720C58BF02FEEDE824178AEF2AEB16181CB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.825{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.825{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.825{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.825{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.809{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.809{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.809{9531C931-5159-623C-8105-000000004302}55445708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+7d828a|UNKNOWN(00000251E65FC661)|UNKNOWN(00000251E65FC661)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e8994bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e87347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e8730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8f33b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e83002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e893a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e875aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e875aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+8e875c2b(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+51c4a 154100x800000000000000090447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.762{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.cmdline"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x800000000000000090446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.715{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.cmdline2022-03-24 11:09:17.715 11241100x800000000000000090445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:09:17.715{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.dll2022-03-24 11:09:17.715 354300x800000000000000090444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.770{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51767-false10.0.1.12-8000- 354300x800000000000000090443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:15.624{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51766-false93.184.220.29-80http 10341000x800000000000000090442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.653{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-513A-623C-5605-000000004302}3032C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.372{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D40BE1FF9EB2FAA95533DF2478A7EB8A,SHA256=9816373EDE8C9A5D435827740FFE79F448FC1B0EA753B430C1540B3FC31E162D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.356{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7921AD73172156068C295ED0B63D1EB5,SHA256=BFC8F3AE4DEDBE92205E33D8BD79F707DA7ABD427DFA66C6455A5C9624072A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.340{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F9F88DDA0FDE217171BDBFC2BD175EF,SHA256=994E71FDA8083E984B873BE715DAAC038510121849023DCFFE58031DA8DE7FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.137{9531C931-513D-623C-5D05-000000004302}9921892C:\Windows\system32\sihost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.122{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64DBAE85EC2957AD7940F656F2AF7FC6,SHA256=2E6A1B7E0BE45EDBBD45F45281710FFFB85E602506D6FCC4F794B9BC2F5C54DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.012{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3CEB26529AC34EC093F219EE8B2C4509,SHA256=6DE254C8C51D1DA9BCE5B964F33E08C250224EB4FD030324412FC7010C018791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:18.529{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4D9914F20EB262DFE6C453F85969EA,SHA256=C413287B349E4FD66500F911C29DBBD48E152632C2AF3DF82DB1149BF779A8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.559{9531C931-513A-623C-5605-000000004302}3032NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\oem22.PNFMD5=86C199709EDF159F173915F6B4F94FD1,SHA256=F50FF4D2DC68AFAB17DD3598087B6F10323F88F1F20EB9C0428E4F4F63C05956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.543{9531C931-513A-623C-5605-000000004302}3032NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\nettun.PNFMD5=8C5935319726DEF7D58E0FA47E9D95D9,SHA256=41742A7CFAFF93F1E876ED33377B43FA82BE9B8C76FA0E3714D71D995B140116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.512{9531C931-513A-623C-5605-000000004302}3032NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\kdnic.PNFMD5=5A9ED63443DADAA9F78B016A4D140782,SHA256=42F6E997F0137AB6916F1FCD256449FFC8509F192A2B2B849650232049131457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.200{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.outMD5=BA1F1EAD7FA4BCD211B766159CE18294,SHA256=D62C494FDA44056B84442AB5CC42977C1F4928B1F4F4BC16C73CCB76CE634BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.200{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.cmdlineMD5=78F992511F6056EA54C8B1C8041322B7,SHA256=254AFD38C531711FDFFBFEEA92DC45D439CC2394B7AB021FC0435A319C523C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.200{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.dllMD5=FFC22D745C9E8D0F5B52567AF9CAD19F,SHA256=3CD021736EA7A1CA264503B31836D9820B5AC89544FE7685D07AAE00392E32A7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000090470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.200{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.184{9531C931-515D-623C-8305-000000004302}5784WIN-HOST-TCONTR\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\CSCC37509BC90CB4614946665ADA3BEC4E8.TMPMD5=DB6C769635307E807D0BF720844CC2E6,SHA256=942437291067FECD730642F66F7C5A224B03C123930667F82C0EB7E0E05C7466,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:09:18.184{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.dll2022-03-24 11:09:17.715 23542300x800000000000000090467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.184{9531C931-515D-623C-8305-000000004302}5784WIN-HOST-TCONTR\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.184{9531C931-515D-623C-8305-000000004302}5784WIN-HOST-TCONTR\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9ED5.tmpMD5=000F5B3DDA54795C6A368BB5F88639BF,SHA256=93757B9B29468DD23D98CC8921BD4E752E358B4BE8CBDC16F2A3706AD5D21483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.184{9531C931-515E-623C-8405-000000004302}5812WIN-HOST-TCONTR\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES9ED5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.168{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-515E-623C-8405-000000004302}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.168{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.168{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.168{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.168{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.153{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-515E-623C-8405-000000004302}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.153{9531C931-515D-623C-8305-000000004302}57845788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{9531C931-515E-623C-8405-000000004302}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.164{9531C931-515E-623C-8405-000000004302}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES9ED5.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\CSCC37509BC90CB4614946665ADA3BEC4E8.TMP"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{9531C931-515D-623C-8305-000000004302}5784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\gydbn2ay\gydbn2ay.cmdline" 23542300x800000000000000090456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.043{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F515A317A53793EA3ABD90646BCBB8,SHA256=F4B1D9C211B411EAD6095AA5CF72077A87BECEDC721474B7F18DDED926805159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.997{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B33E96148EBAE0DD974350460CBFDCF6,SHA256=8FC6D8FDF7C91C9A4485DE2F23ED7DA60AFE67C889D8EB823EF9C2359DCAE552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:19.622{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4746D9B8962E8CDEFA58ECAC35CF4C,SHA256=08837339B59406ADF1428474D808B9067E8CF95594C4BE1DA66F41C9B6E147EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.793{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.793{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.793{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.778{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.778{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.778{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-515F-623C-8605-000000004302}5924C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000090497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.051{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51771-false169.254.169.254-80http 354300x800000000000000090496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.047{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51770-false169.254.169.254-80http 354300x800000000000000090495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:18.021{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51769-false169.254.169.254-80http 354300x800000000000000090494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:17.992{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51768-false169.254.169.254-80http 10341000x800000000000000090493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.731{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.716{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.637{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.590{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-515F-623C-8505-000000004302}5888C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.544{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-515F-623C-8505-000000004302}5888C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.544{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-515F-623C-8505-000000004302}5888C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.528{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.497{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-286D-623C-0D00-000000004302}768C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.497{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-286D-623C-0D00-000000004302}768C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33ca4|C:\Windows\System32\RPCRT4.dll+21600|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.231{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.231{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.231{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-286E-623C-1400-000000004302}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.215{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E5DFBD9B764A804899475B7E36BEE16,SHA256=AD4A6D63F5D3A9A9A307422E9CCF957E52066A7878939FF1929254D3C66ED66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.184{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=592E6552F2B4661CDEA9F332F31E7D14,SHA256=9391DC0C58B06AB91C0C11582DC0AAA834FF8510790261FB018E91AA60A1EF0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66ADE9F5A61EE494ACA4F0B8B377B06A,SHA256=ABF08B61B6CCB8A6C3199A22C645B48A6FBFE5DB0D5B31D931E675A5E9D4970B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=964B00B81E3FA83085306EFA2AA58353,SHA256=1CFFB8949414DB3CE2EEF31BFF2406E5A6507A7EE7E0EFB9D2B6ADCFC32A243B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E3AA34EC6F28E2A168F2E2B2A65C36B,SHA256=DFE2F35CCF740BEEE045EDD3E285D1153C7506B37587047C3764EBDE0466A325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.934{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.934{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.637{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55B9C533A4DC4CB81AB1DF2FDCC618C9,SHA256=A7177C9789ACF33660021A71A86846D8071DD50E8D5C46B50D3885A9898FFFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.418{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE2AD6313A1895983D22ED931B7E848C,SHA256=9AB8B0545B29F116770383CC55236CF236FEFDCA722F749C65C51658B81EF0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.387{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B10599AEDD4AD8712CBE0C8353CBCF0,SHA256=5737B5A9F5D9959C4CA59482D34FE63C43DA0EBD4DA4E0893CB6DAEF491FA0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:20.372{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1AD68B926E1AA249B910EDF0860F93,SHA256=0CAAE5CEF62645C9C4E994E8A1BD79AC24F95B5886072038E6BC590DE40E8DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:20.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B644084B3027C364A838B9F25C635FA4,SHA256=4619847AC2365C066C00A612ECE5701D6A2AE22D048B17CD7DBBEC1B423636F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:20.451{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-2A2F-623C-ED00-000000004202}2436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:20.451{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:21.810{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266BD4718CFBB47196D0FAE035D3A9C5,SHA256=E336C9F37C913C709487CDD923A1EF3CDE2CD65B07E91837F8A605DEED834127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.950{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.950{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.950{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0329A95C37AD20626CF7A7A0CAE9110F,SHA256=A9FC9CD0957F8A27A515887C9C9630682B5D18C0CEC0071457001C0E66C998A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.934{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.918{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.918{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.918{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5161-623C-8705-000000004302}6004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000090514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.260{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51773-false169.254.169.254-80http 354300x800000000000000090513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:19.249{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51772-false169.254.169.254-80http 10341000x800000000000000090512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.606{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.606{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.466{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B4B23F09FD27EDCFC09263F9A8B8FE,SHA256=1032CFFCD9BCFFE0EAB15AA60468CDA5795FEB85A9F27BECDB4F929D49BE61D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:22.904{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB391F86B17011BFB633997DCC7312BF,SHA256=4037739BA47A0E18C8AC28CBFED64D094F18E4A84DBA6F9D19C6D55C879D8BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:22.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC8CDCBABEEFBA9F1AF57746995E15C,SHA256=3ED95542E43A3DD00066B9F8F742A849C46EA78594BBECAF146025A4AEF6B026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:23.653{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084DF065883830C9C7AF709659C3AC84,SHA256=80610AB218282BF66C71AD28677F834A423409A606D3BC7C27E4A4DCD68726AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:20.985{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.778{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A216B76C3F8CF3810DC713FF8E285D16,SHA256=58E4DAE927F58B0210C890B2CB430B083BA5AFBB66CB6B60790DA58156C3ABD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:21.780{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51774-false10.0.1.12-8000- 23542300x8000000000000000121187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:23.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1249FF03CFF6F97C6BEECD2ECE5E9E2,SHA256=4B31E79B35A1C3E29FEE67FFEAFCD0E254731AC9217854C71F7B019FCC902C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.387{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.387{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.325{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.309{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26652|c:\windows\system32\rpcss.dll+424dd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:24.318{9531C931-5164-623C-8805-000000004302}6080C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{9531C931-286D-623C-0C00-000000004302}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000090559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.872{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B169C461C4F1C3E2C0A4830738C97ADA,SHA256=BAA9D9281F2618E0F0968425702B824FB9FB54E3E0B707D751BAA0D80215B8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:25.091{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E15C076B1BE7E2F3EEE8D008F951E69,SHA256=40E23BDF8863F74F2E44E0E425A6314B449BBD934251EF2092C0FB2CD068FF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.434{9531C931-5158-623C-7F05-000000004302}5496WIN-HOST-TCONTR\AdministratorC:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmdMD5=6F31D86A88379966303FF5E580AC09C9,SHA256=D6EC54010FC20FADFE76B05AE3DDBCAB1C3134F462C4ED615C32B571A2930D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.418{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-5165-623C-8A05-000000004302}6136C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5165-623C-8A05-000000004302}6136C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.403{9531C931-5158-623C-7F05-000000004302}54965500C:\Windows\system32\cmd.exe{9531C931-5165-623C-8A05-000000004302}6136C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.408{9531C931-5165-623C-8A05-000000004302}6136C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 11241100x800000000000000090549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T10232022-03-24 11:09:25.387{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2022-03-24 11:09:25.387 10341000x800000000000000090548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-5158-623C-8005-000000004302}55045524C:\Windows\system32\conhost.exe{9531C931-5165-623C-8905-000000004302}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.387{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5165-623C-8905-000000004302}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.372{9531C931-5158-623C-7F05-000000004302}54965500C:\Windows\system32\cmd.exe{9531C931-5165-623C-8905-000000004302}6124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.383{9531C931-5165-623C-8905-000000004302}6124C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9531C931-5158-623C-7F05-000000004302}5496C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 23542300x800000000000000090540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.356{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FEE50CCAC094041D709EA7B5D798830,SHA256=587ABB08E16FB575B0C28F60B9A5676DDB0359CC022C7AF43CCB658CA04AEE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.309{9531C931-5159-623C-8105-000000004302}5544WIN-HOST-TCONTR\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.200{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B22241AA71F274FF52FC0B9ECDABF4E8,SHA256=72C1A5D24CC75E93BF6AE90ECC8F673BAF5682A2B05B7F5D3D0E22549BCFBCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.137{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:25.029{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-5159-623C-8105-000000004302}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:26.981{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E432889B94262BE9B832B605CD4F85,SHA256=AB7ECFA62291D5C77C09768F3D788F9CD9BAF55022E9DA71861947867CF671EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:26.185{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D268EEE9B8B768F26C5B697B0D6C3086,SHA256=7BD7A3417400AA3FB73A899B4DDCEC24EAA92AB5DAEFAC788F90B66FA7A279D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:26.340{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8443B01D9A691DC2ED1BC3087A233C57,SHA256=4534EA921A96FDB91C7CC3ECE09037FD23A1E08E88B4DAAF3E4E56217DA5E436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:27.294{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E5FBF6667601BCB851AD826DD9F137,SHA256=86C7A58DB2587A88F3D157ED458794399F95C52B6C9956332C764B841107729C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:28.388{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45E3F5222C5BB3B55565893F157ADD6,SHA256=CED63109D38A25A8FE7FE6A054F944F769AC98F58F0C113A1D064FC4D79A334E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:28.075{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC42970400739C8405B0EBA0AC145FD4,SHA256=5C6301BA65C96B89597A1A9635E398524869579881E995997624704D2204D0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:29.482{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F79ABFF7F4E26DEFD38C1A5929D0E0,SHA256=44E070F2FA9944E4B74B6C2F5631655CE1BBB4E116AFED9E0FFC03CC4AEA8758,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:27.718{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51775-false10.0.1.12-8000- 23542300x800000000000000090563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:29.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2751A81A4407EC8AEC60389919F1A6E1,SHA256=0632C5E861BA66788DACE48B8B97FCD6490BD4A195F797F50B5D20752D255EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:26.829{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:30.576{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB13B5BA1E9789CADE559E84DEAA331C,SHA256=3763268AEF0FCC10A5094786FA72C5BC35FA7D4948620CA9400E1B5C1D2531A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:30.262{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FBAB7377F01CDCD82377C7F370EB55,SHA256=3825116B3ABCBC500B422545DFF5742F970B7BB7FF74A114E00E373343923A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:31.669{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679DDD1E93597554743B94B99A44CFBD,SHA256=F8E0E6F61EDB62CCD15C1813E45D4ADC79C4F692E4B9BB8CA10D9E8D4B429C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:31.653{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:31.372{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CD9AAD8726A8B452153811EEE00093,SHA256=4F694520FED11B1A34F1DA3CD2A9EB51F4C021570EAAA0E4FCF5BC4DD0B37891,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:31.186{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51776-false10.0.1.12-8089- 23542300x800000000000000090568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:32.465{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B2FC42EA3B68064D09246F9692D930,SHA256=3E2AF0FCF64752EF0A5AC75758D3DB53CD6EE64BEE62B34ADF16D8FD7E8CE54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:32.763{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B26D764B4159AEA3DB952D5AB39DED,SHA256=B8BEF29AE831D41ADE7FDF1BEAF3DD769CD8821ED1DF429ED13FED981A2D91B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:33.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AA89E9A836B66F5D023240B1B51060,SHA256=6C137EA26ADD6F92BC768FDF7ABACBD1167A3027957691EAE33EEB6C597B8EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:33.857{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A592F43D7C0C27D620C00C0C40A646CD,SHA256=1BBF7F89CE1807A94C96B614F6BCE4D61C6FEE5B15900C7B7CD457DA6112E466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:33.090{9531C931-513C-623C-5C05-000000004302}2556WIN-HOST-TCONTR\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.dbMD5=0D92ED7F11C57BE87DC2D8814A9071B4,SHA256=A2298AF4D2E16E1F6C066E8EF7F49EBA1F9559F5EF769E4A758D5D6040F9E49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:34.653{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E766B342A7738D5A2007E6204BE986,SHA256=551FBF7C86A2000B5B82ACEE8A7E0CD1E0E1A0F512E30C9EB13B0706AA9060FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:34.951{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6ED3C1D2D948B588B62516A53BD6EFF,SHA256=3B6CFE9A5AE0558AD430535CC5E97385966F32A3644FE7A3D5D09ABCE7F26A00,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:34.247{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{939D20AC-8036-406F-BD5C-BF672896BD71} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 354300x8000000000000000121198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:32.016{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000090575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:33.734{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51777-false10.0.1.12-8000- 23542300x800000000000000090574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:35.747{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620E0BFBBE25A97900047C57E74BBFD8,SHA256=797B8C6A23D65F3DC9FA988E5FDE349D186CAD1CAF7B77B3DD514BA7FC818320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:36.949{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB046EA119D0CC7000423E2BDDE8113D,SHA256=7CD599100CF946457A84CC6C761B4F087AAFB1F5C2360D8B489B846BF59ABEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:36.076{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3751BB058896330BC71B388F3C45FDA3,SHA256=F0B76400DC38CC8255ED3E5C31954A6E0EC4C77E31B739E99F15697802CD9F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:36.044{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ED3AFF057493EF459851647500EBC6,SHA256=C560B49C67737B442C0AD46E3D35AF22F528E297A26276EA4A2EFF3185085419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:37.137{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CC9FBE0C2266BE7BAE2A889D91EF4E,SHA256=19126D6ED36F4ED848380956CB33FEF686A84AE5D67E12F9B535102CF84FF468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:38.371{9531C931-286E-623C-1400-000000004302}952NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=C0E2A6E40B42AFE4F808EA9B8AADCD34,SHA256=4AAD3886A900E3B0AD12BEFFA11179F099C92064E015F991340AEBBBEDC55B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:38.043{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B20BF0E09C11B45156294CE3C495DC3,SHA256=3EA547EFADA6D44E5388B2CFFF57308FD0E2286E4A71F44595CC027804B8960C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:38.231{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3788C5BEC2AA62D2CE26221A8E5419D,SHA256=007AF88753F6B3E571B502ED6432DBF3B2954E6E436564CFED0C460E8FC05612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:37.781{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:39.325{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7885229F24D18F3A23C1038798B847B0,SHA256=5CBC81723F4936E127F51E69756FFD2B637993A4BAECE2BA16ABB0E1D736E499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:39.419{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=89E97B0384B4FE09A54992069D170869,SHA256=F7FEE15C888EE366CDB1C6C5E0347290EABB34C91B14C30C1961973B70AD4531,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1158SetValue2022-03-24 11:09:39.387{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x800000000000000090581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1158SetValue2022-03-24 11:09:39.387{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000001) 13241300x800000000000000090580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1158SetValue2022-03-24 11:09:39.387{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000002) 23542300x800000000000000090579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:39.137{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7BC3526B8B71A170BA051C537F2A10,SHA256=57CBE42F3E193CC650FB292A34AFAB45E415DFCF2EB2A55DA1574B4CED57972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:39.215{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C9217E57CD1CCBF957584B16AF644BEB,SHA256=198F018D11410B704B286DC4FEE9AF27199B18D1D798212A49728A397CFAAA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:40.419{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1283047B66743AD089570A2206C75F95,SHA256=FF6F48A505EEAA06F9366130EDC9093FDD7540674AD6C879343D812DC93AA7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:40.230{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FE475006D5AAC0E92D5D5E92F34C98,SHA256=23736C558C5C9179323DF5C55B2E1AF49870D8F85724D0FF42D14AC49C977A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:40.027{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5690BE1239FBDD31A91AAF4B840A6B16,SHA256=6AF85D35CDCABDB19A0D4D875CCE8B21D252ADE6B7E9DF781DEE5D6AC0B1D11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:41.903{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:41.512{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6FACFDB155C8BCBFD47A4E8AB09600,SHA256=988BDC1D1DBF24DB4487910EB7FD282D5CE76E1E0AE4BFDA00DB3D8DF6D97BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:41.324{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181090F5FAB377CB27A5993CB4402BE1,SHA256=E83E875AB8A459C27F856785DC53CFC8EA57A5E9343C4F15D5B1FCD4A0648BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:42.606{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F378A234989AADC76137B2E1E8633B06,SHA256=C71A1E70BF95AB84C197A1DEEE2BAB1C08E379E6B16BD0FBDB819B48E9115E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:42.409{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A3E8E3D5E64215DD396F4B0E824826,SHA256=A038B4FBCB3C2BCFA7FF8D1AE107E0E36393A58DA1BF537F8B3A2882B74DB07B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:39.670{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51778-false10.0.1.12-8000- 13241300x800000000000000090588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1158SetValue2022-03-24 11:09:42.003{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x800000000000000090587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1158SetValue2022-03-24 11:09:42.003{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 23542300x8000000000000000121212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:43.700{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B82DF8C96A0C1459A81870A69F1336B,SHA256=87DF9583A710DC5A8D4192AAA2F79A16F1A9EAC2E87BF1C4FB29F9C8740341D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:41.641{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000090592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:43.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E430733E752CDA6E57603A51DB0317,SHA256=6D75B134E70C15E5E20B2D18712850197F13D11D156C81587745FC6939E1C256,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:41.363{9531C931-2871-623C-3E00-000000004302}2764C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51779-false169.254.169.254-80http 23542300x800000000000000090593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:44.596{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69B272882B424CE8667E2F4EBEA29A9,SHA256=A76DCF89375A921BF4B38A0B4AC2A3E277EF854CEFFE395428E287E8E59C1962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:44.794{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B020E25A719C6C5CF7FE98D0D57A9A,SHA256=CF72BDC1D5123CE1F73CBDCCE5E9B8A625B47FC41875CD9363E40F97A53585D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:42.859{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:45.690{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F067EF14951FFF441B21E407F0BDA9,SHA256=710C50D599760A5A43155F4E366C81C7882D2F1BDEC767CB4309A13E5E428B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:45.778{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248635D881744A17CEEC8C4BD19C3768,SHA256=0834C96CCD7183CDC8C0CDF91E4AF637F409C3B2635F87BB82D818AF99044D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:46.784{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACFC2FF8AC1C7CFC55F4AF95ADE9AEC,SHA256=90C8DC4FF631FE897290B553B61BD4C63854EFCC0E4BA27FB69B742E671DB480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:46.872{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01FEF8B8C098103BDA11AEE2203FC3C,SHA256=FCA6020C9D2104B7B931D83A1F9A6C2DF71054B3E4C3E11DFB4A7ED324D91DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:47.893{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C14E81656FDB7B9099865CE3B19C8D6,SHA256=FD5B0CF2D876A028B286A3AEFA3EE8A1922D429D7C849C3B91D3E547ED2B0CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:47.965{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2F00DE52179D300B6C47F75A1EC620,SHA256=FEF2CD9D1BDE223F029ED7B52E6DE14359EB1D2594BE3B35E5E414654A4D470C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:48.987{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3D7A2932CF46EF38605D4132DD95C4,SHA256=0F119DF371B9AC5E7A525A4D267B4620A55382812A301ADEEF214AE6CC5B0AF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:45.646{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51780-false10.0.1.12-8000- 13241300x800000000000000090607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.503{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000090606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.440{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000090605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.409{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000090604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.284{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000090603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.256{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000090602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:48.221{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:48.221{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:48.221{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:48.221{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000090598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.129{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000090597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:09:48.096{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXEHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 354300x800000000000000090610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:47.768{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51781-false93.184.220.29-80http 354300x8000000000000000121219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:47.875{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:49.059{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7647ED3E606B19D7E29168FE29E2D823,SHA256=CA2145053A13E8BE8FDA686021157B1D67067B3FBEA8A393AC7D5485A3DE6491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.737{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.690{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.675{9531C931-513E-623C-6505-000000004302}35884180C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.643{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.643{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.628{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.628{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.628{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.628{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.581{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.518{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.440{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.440{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.440{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.440{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-513E-623C-6505-000000004302}35885012C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15 10341000x800000000000000090614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.284{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.269{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap7769:68:7zEvent1146C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000090611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:50.081{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85404DBF64516A3984EBFBA1F58F88C,SHA256=82929BE71D7537D45ED497EDE2FF8432A41CFCFD5E14ED43EFAF9A417657AA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:50.153{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCEC2059B4E3BAB3CEF99B77F2A9774,SHA256=C74C933DE7007B385AFB26673B99DC563B842B4974466608D4EC89D287F56C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:51.690{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520EEB85D85BEAD41C8CFECAD269A3E,SHA256=AF692F735DC254D6623A0F84AF4A092F656FD08C5E3DDB4080A28B32A0B70910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:51.690{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE759F7C0D42943D5B1F6C5681A94C4,SHA256=71A34DA6700B6335BB81F21175AD9AAFD83167586E261B222A713C7BD7A6614E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:51.247{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A746BD7EC10F4234B6EED5D957306CA,SHA256=551DDA9756C919F103294DF1566E3906AC0C00081B599E2C67FA5E8E6C4CF2A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.862{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.862{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.862{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-517E-623C-8B05-000000004302}5080C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.784{9531C931-5180-623C-8C05-000000004302}52925152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.753{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137301C7613A9E37292CC944A4A2BC43,SHA256=BBBFA578F5B118ED28418BA87D3A3536BD67C803952CB33689B03E42FFACE631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:52.341{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340EF4BACE89CD0FC10FB172683FEEC4,SHA256=63977806D1FF269A0B5EC31D5C87122ACA2C40F612614F959510FF758ADA8228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5180-623C-8C05-000000004302}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5180-623C-8C05-000000004302}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.346{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5180-623C-8C05-000000004302}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:52.160{9531C931-5180-623C-8C05-000000004302}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.862{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63006E6161DA0DBDBAE034ABF752955,SHA256=4BE2BE8EC0DAA8CB91FAD6DBCD2EFF20928E3BBFCC1AFC15FCACA4599B8237F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:53.434{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF5AF83BA923DB2226F27C12793B8F9,SHA256=25D83EBCA1EC955D0DB2403A45BDE1B324B1A5FA2E649BBE056025E78594185D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.722{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.722{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.643{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.518{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.425{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.424{9531C931-5181-623C-8E05-000000004302}4496C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{9531C931-286D-623C-0C00-000000004302}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000090661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.409{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5181-623C-8D05-000000004302}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5181-623C-8D05-000000004302}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.393{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5181-623C-8D05-000000004302}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:53.066{9531C931-5181-623C-8D05-000000004302}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:54.971{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B14466219113758CFC3FBDA83609239,SHA256=D1989577BABE4DAB5388E9664A4846CEEDFABC155713167D1A193DF015065DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.521{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39171B407EEDA05006E7F4511983F1B5,SHA256=D29434794E96951AE9C2AF93D335DF9F3E247FC498F20C4D23170FB988FB6E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:51.630{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51782-false10.0.1.12-8000- 23542300x8000000000000000121235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.201{5F3DCEF0-286D-623C-1600-000000004202}1260NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.184{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.153{5F3DCEF0-5182-623C-F405-000000004202}38124336C:\Windows\system32\conhost.exe{5F3DCEF0-5182-623C-F305-000000004202}2304C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5182-623C-F405-000000004202}3812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-5182-623C-F305-000000004202}2304C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-5182-623C-F305-000000004202}2304C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:54.137{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:55.615{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BFE70A2392E0C1C7515C8FE07C5831,SHA256=E7558D15183B387331F3F8C6C97D53C49684E3D259990740860A9DAAE4B0FEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.362{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1E15C1D618839E31E1802AB678C2DB12,SHA256=80CB5D7A776450C69C27A54C5C1C2CFCE1D31D01F68879F1035D3AE6DE144A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.284{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5183-623C-8F05-000000004302}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5183-623C-8F05-000000004302}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.268{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5183-623C-8F05-000000004302}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.035{9531C931-5183-623C-8F05-000000004302}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:55.381{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B3EEB3EF4082B6E4631799AC39A2B76C,SHA256=7D28FA5271FE0FEA8C90B8D4A55BF36DE368AF10D9280722227C62038E86900B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:55.256{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1645791650F4FD8B66EEADAD79533F6A,SHA256=1C3E9FD3A4124C1ECE48354D1572D0488CFE2845FF3CDF8EC7D221934977C2BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:52.891{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:56.704{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED87B59D1FCFDAF9E3DB833D22CA63A,SHA256=A0BC39095D2905FB767C4C2C5A20CE81B760BD5C14C2D7D727303A119FB196ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.706{9531C931-5183-623C-9005-000000004302}51964932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.440{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5183-623C-9005-000000004302}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-5183-623C-9005-000000004302}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.424{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5183-623C-9005-000000004302}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:55.956{9531C931-5183-623C-9005-000000004302}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.067{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3613AF34689B7107B4803CF009096DD,SHA256=5402DACF1A79A697703C48356A88F942C6837BB45A4B1C8944978A4E2F8B9031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:53.975{5F3DCEF0-287D-623C-4A00-000000004202}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63417-false169.254.169.254-80http 23542300x8000000000000000121243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:57.798{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D663AD9AF58DD4411B19E0D627B1CA36,SHA256=E63318F1D1C5C7C56EBD17FE37322394F8397E60C02B088BE144BE2ACEE6AB49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.800{9531C931-5185-623C-9105-000000004302}51884164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5185-623C-9105-000000004302}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5185-623C-9105-000000004302}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.503{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5185-623C-9105-000000004302}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.098{9531C931-5185-623C-9105-000000004302}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:57.191{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F41D756FABCB897E0D81224271513,SHA256=32050B6FD4D2524264BF870E3693219D6F1D292D72932C56345085D0024790BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:58.907{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F978655D55EC776C5F9E3AEEBED5FB94,SHA256=C2067DB21BAA3FC268315823FBE1A1A0E95A1C67AF7216AB5C68F2AC28EBD2C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.774{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51784-false10.0.1.12-8000- 354300x800000000000000090716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:56.247{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeWIN-HOST-TCONTR\Administratortcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51783-false20.199.120.151-443https 10341000x800000000000000090715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.551{9531C931-5186-623C-9205-000000004302}43485488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.316{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D43531AE3C87F52D3053D2D399F2A38,SHA256=82B40DF93611FEE9AA8197FCF22C3E2F045F43C73FE824EF6E1A4F28277448D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:56.437{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR54601- 10341000x800000000000000090713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5186-623C-9205-000000004302}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-5186-623C-9205-000000004302}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.175{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5186-623C-9205-000000004302}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.176{9531C931-5186-623C-9205-000000004302}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:58.113{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522D25B85B956F7F6683835E3F11A1DC,SHA256=61F3008612CA91E29FFFF364ACB899372986857F25A8B58D6FBD29652183528F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.425{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03A7FCE6E509A52A33D57FA9B1DED54,SHA256=F9D467886FD4F72A159CACA82DE6C0EC3B142449F746B60113732B9FDECB15C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-5187-623C-9305-000000004302}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-5187-623C-9305-000000004302}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.347{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-5187-623C-9305-000000004302}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:09:59.348{9531C931-5187-623C-9305-000000004302}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:00.410{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DEB7E81601AB29CCF5B3F6BAA716D7,SHA256=B02579721D630E3C7D8761CE72A306580870ED0567191181A92DA62CFE64D82C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:58.227{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR52886- 23542300x8000000000000000121246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:00.001{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FCA06D6D7D49951DD168DB15D7A2DE,SHA256=82F1D29523A5518ED6B18929861E12A9B182A8961A419BAF94C3378EF6F33097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:01.711{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-170MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:01.503{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1417AAA015A3CA8D01D4DE7C0648DE,SHA256=36F93695EB81076567DC64BDFACEA7C0C22472B02D249463FD7D9B4B934A6674,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:09:58.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:01.095{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E5B8F90A8236E7E48C6DC4CC3C6538,SHA256=879117B2D6D7AEF1EA65461FD9E696ED73649578BA388FC57AA31BDF4007D7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:02.709{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:02.598{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD48D3AFC7948218E6D3F0833280E13,SHA256=F51E62E0EF30F9EEDF95CA7870DEE15B6D75D1F7ADA608DC97AF3329032A01AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-518A-623C-F505-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-518A-623C-F505-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.595{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-518A-623C-F505-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.596{5F3DCEF0-518A-623C-F505-000000004202}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:02.188{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0935DF4DD38E7E9AA8D6E69ECBD5B623,SHA256=B84275451A7E8771C6474F2328F846D3F148F3D569E2A7E2FA69A23A8B70FA8E,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000090734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-CreatePipe2022-03-24 11:10:03.819{9531C931-513E-623C-6505-000000004302}3588\UIA_PIPE_3588_00004b8dC:\Windows\Explorer.EXE 23542300x800000000000000090733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:03.694{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A72EC682BD77E4672C9F4691966231,SHA256=1E0D7560C837FFA0582CAD2EF73EAD20EF0BF76AEAD62C9791EE6E74FF43CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.688{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=430FF254025E0706E41280C65908747E,SHA256=FBFD03ADCAAC2D7DDBACEA86208D97790297605E25BD0BF19D71D33CFFC5240D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-518B-623C-F605-000000004202}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-518B-623C-F605-000000004202}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.501{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-518B-623C-F605-000000004202}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.502{5F3DCEF0-518B-623C-F605-000000004202}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:03.282{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2213529B8E261807AA7D5B876FB368D1,SHA256=A1EBDEBA35C45171D4B6A203E276DE366755A92DBC26ACA75CB8BD2561935421,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:03.444{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.803{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F6D9783FD905B8FB840EA1F1648CA9,SHA256=DCA8EC20556394C3E867D08A5F5D8AF2D9BAD34FE0D41A37A5A79FA35409974C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.376{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5396C8FEB50FAD8C459FE5953216DB7,SHA256=E8EB93DD1D2C03B52E83D04EAAAA66A94B081871F3C261017B57DB624674C368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.225{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.225{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.178{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.178{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.163{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:04.163{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-518C-623C-9405-000000004302}5584C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.204{5F3DCEF0-518C-623C-F705-000000004202}63646048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-518C-623C-F705-000000004202}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-518C-623C-F705-000000004202}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.001{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-518C-623C-F705-000000004202}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.002{5F3DCEF0-518C-623C-F705-000000004202}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:05.897{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5834242DA7D726B8D17FE445637365CB,SHA256=1B4BF0B4611FC8C73706CA14E94409BA3DA4401D3FA5CFFF3CB29F6E70413FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:05.470{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAFAB52C3C9DD2A2BADC122C78ADA9C,SHA256=D97DB3A3DA08CF658D53C2B4D8170EE0D112A1494549457444CD40866D24B765,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:02.724{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51785-false10.0.1.12-8000- 23542300x800000000000000090742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:05.241{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA3F4F0D5765E5A8D4EDC81B6B6C0E2A,SHA256=A43FAD4E6E7A29901A9951C4A230B4434C63D84094F75BCAA249EA921D368CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:05.360{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4182F2056B1D66A2A22B725B3CEEA66,SHA256=A790810415141281E64813F2F189AC2D9C5892543CFA51FDCB4B3B29E8EA82B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:06.991{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA65603E0D772A85F19CBD6DAEA77D41,SHA256=354B2EA8B7FD323F4C1CC96A6150E8EBB3817FF81ACB2F1FCFA49379E8A7F024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:06.563{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA8BB99363CC3174123A2249AADD0AB,SHA256=5E5B7A7273571C56FF02A90F8CD72D195D792DEAC91EFF660354ADA610664A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.657{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7507D414C1C859BE29D858E3C5FF5EA1,SHA256=447100FBF1B59FF4585E6C51AC95373ACB7FF56D8B5C6C60FAE3728F64A3DDD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:05.942{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63420-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:05.942{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63420-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:04.848{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000121290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.266{5F3DCEF0-518F-623C-F805-000000004202}21006916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-518F-623C-F805-000000004202}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-518F-623C-F805-000000004202}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.079{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-518F-623C-F805-000000004202}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:07.080{5F3DCEF0-518F-623C-F805-000000004202}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000121311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5190-623C-FA05-000000004202}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5190-623C-FA05-000000004202}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5190-623C-FA05-000000004202}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.860{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.862{5F3DCEF0-5190-623C-FA05-000000004202}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.751{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A71191CA71C31DB72F97B2B3EC9CEB,SHA256=5050D8B3ECDB0CB36974A19BCB8D27888C78CF885D387DE6CA88A65181213302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:08.085{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627246C4F2337DD69EE056261C411738,SHA256=A83F4A33984E0871C863A26AE5CF7899B13561FDAEE67F6DBC9BF65DF50D857E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5190-623C-F905-000000004202}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-5190-623C-F905-000000004202}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.251{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5190-623C-F905-000000004202}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:08.252{5F3DCEF0-5190-623C-F905-000000004202}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.845{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FCC75D134B23CD13211F9C6AF71F2F,SHA256=241E01D90898B52E26D033C148E30261954333EC71BE7E36BCBBE8A13306CF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:09.194{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83582FD95A94392AF8D8B96235505D4E,SHA256=A8E5E875FF3532DE82D154B1EB7AD6916099F0FAEEC147F0A055DA7152F9A3F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.532{5F3DCEF0-5191-623C-FB05-000000004202}57244812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.392{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F9EB550D7FC800ED66577B62D3B77C1,SHA256=F6DCA1CBFF81BA6FDE0206D5E3341A801EE8A4C344A42279EFD6CB4D3A6C0794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-5191-623C-FB05-000000004202}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-5191-623C-FB05-000000004202}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.360{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-5191-623C-FB05-000000004202}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.361{5F3DCEF0-5191-623C-FB05-000000004202}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000121312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.079{5F3DCEF0-5190-623C-FA05-000000004202}58726500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:10.938{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFF79409F4CE1187D3508B4FFF9D6F0,SHA256=84A96646AD7F2FD8BCE5587544937CDF0B8C8C42FD720441F09A703668BD3C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:08.729{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51786-false10.0.1.12-8000- 23542300x800000000000000090748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:10.288{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF608D9ACAD935DB3EBCAC2B149D0E0,SHA256=29F37F7E4AE1AB0722086544DA259CC5E1F72E28CBF88D87ADE292FF82102714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:11.397{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DBDBDD37362B55EE5119EE5E6E72F9,SHA256=B705299B5883B70F42D1BB033C3718D91619610460579C4EFAF6E9619248272F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:09.863{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000090758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.897{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000090752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.832{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000090751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:12.491{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75853D08B33F35A9B38E7B875968202,SHA256=5716BEB3D8A7E43DC425F286560314024F1363D466A16F874B75F22CA2B8C2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:12.032{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61908E6D14A7EFF6467164F9EB98066D,SHA256=C01325271ED940E7C2F5C1A1C7D9D160CC895EBAB2AEF061C9A7EE4242586F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.928{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9FF3662B81A822D761BAC8E9D0E17A9,SHA256=FC3C4046408707AA02A3C4EC54EE091F5B34D6433A51F834C0A6B033CC5E2231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.741{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.741{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.725{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.725{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.725{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.725{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.617{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F14D99D785E69133CC7B81780E0E11F,SHA256=702B9F5149BC85182853E54B9EDF1F91ACA838604A9FB711FD7105752C8B24D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.538{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5195-623C-9605-000000004302}2372C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.538{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5195-623C-9605-000000004302}2372C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:13.126{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4E1A66F4FE1D1C255D5171E71B5B62,SHA256=FCC5013928ACEABAC45964C2EE9A3BB4E40106B2D3B10F29D898B81B0B9D1DCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.397{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.336{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-5195-623C-9605-000000004302}2372C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.336{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.336{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.336{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.336{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.319{9531C931-5194-623C-9505-000000004302}58525864C:\Program Files\Notepad++\notepad++.exe{9531C931-5195-623C-9605-000000004302}2372C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\SHELL32.dll+9a37f|C:\Windows\System32\SHELL32.dll+9a20c|C:\Windows\System32\SHELL32.dll+99f5c|C:\Windows\System32\SHELL32.dll+6d0d7|C:\Windows\System32\SHELL32.dll+6d035|C:\Windows\System32\SHELL32.dll+134e5b|C:\Program Files\Notepad++\notepad++.exe+251709|C:\Program Files\Notepad++\notepad++.exe+2a5f24|C:\Program Files\Notepad++\notepad++.exe+2d800a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.305{9531C931-5195-623C-9605-000000004302}2372C:\Program Files\Notepad++\updater\GUP.exe5.22WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.33 -px64C:\Program Files\Notepad++\updater\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=3867CD8AC770CFC1BF588D8382EA8275,SHA256=20CDF55C35077F3269913DE61534F2489B8F9326A8296335F4DCE0E51529FA80,IMPHASH=E701E8EF4E4DC8123B85C54C8532ABB5{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 10341000x800000000000000090763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.288{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.288{9531C931-286C-623C-0B00-000000004302}6283596C:\Windows\system32\lsass.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.194{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.178{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.178{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.600{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C094F362C4BF306DE36491A970370AE1,SHA256=E835D3EC62CD6A931FF23751062DAF2E2BC904781D99CC53FFB2A17CD79102B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:14.815{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-170MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:14.220{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06877E586513EC84B6100DDE314D34E,SHA256=5C1F5C667B610448530632C8F1200E111A321F6BD132EE964E0D408E911BDEE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:14.178{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:15.694{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4FDA22EE90F15531A75BC5D01EAE9C,SHA256=89864EF5EF6A89033AB73ED3353A7B24807B008281DEE4A4BAC34CB5F7F4C6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:15.829{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:13.266{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR50943- 23542300x8000000000000000121330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:15.312{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CD831555284FA635BDD0A1F62BFF2B,SHA256=1868779D551A1A3C26991430EA67D19A9539B02479CDBB67113231B85AFC27D5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000090790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.073{00000000-0000-0000-0000-000000000000}2372notepad-plus-plus.org0::ffff:104.21.23.210;::ffff:172.67.213.166;<unknown process> 23542300x800000000000000090795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:16.798{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FD9C6DE1950C7AF9AE43CCACE71120,SHA256=CCFE2D2AE9C2AA9C7E57D8A441225D15B975AC61D99F5D4DD39BDB1EC727DD8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.093{00000000-0000-0000-0000-000000000000}2372<unknown process>-tcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51789-false104.21.23.210-443https 354300x800000000000000090793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.052{00000000-0000-0000-0000-000000000000}2372<unknown process>-tcpfalsefalse127.0.0.1win-host-tcontreras-attack-range-97151788-false127.0.0.1win-host-tcontreras-attack-range-97151787- 354300x800000000000000090792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.051{00000000-0000-0000-0000-000000000000}2372<unknown process>-tcptruefalse127.0.0.1win-host-tcontreras-attack-range-97151788-false127.0.0.1win-host-tcontreras-attack-range-97151787- 23542300x8000000000000000121333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:16.407{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A321E75F2224E986190CB5759635EC94,SHA256=5C8AF6973490F071053FAF6B0630468E1983C855084E72BDC559C1A00D920EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:17.798{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640B4136FF94F84FB92F7070BBCF41B4,SHA256=520E21D87E7E13DC0AC1BA93E2C1FAEB8049F04F7F220543D7CE446B75726322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:15.557{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR62230- 23542300x8000000000000000121334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:17.502{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172DDD0CF98095EB5B394DE16DD8DF6C,SHA256=925A4D3B47A009B443D8FCAF94DB220CD1152F522F4B59745586DC0DE7BE462F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:13.728{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51790-false10.0.1.12-8000- 23542300x800000000000000090798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:18.895{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048A3AA42B2B11C813A4EB0D5CC9F90A,SHA256=D6EC2E93E9D8FBE4B6CF229048E9C51AE3F0E54B5FC1976C5EADB2304E28DD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:18.705{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703D7A20C475DB983D814625D610CB22,SHA256=70585719A80E5A2FE0DDC967BCC9C53D1E259F3EE8B37D88D8A3F0A68E1A1000,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:15.845{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:19.986{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C227CBE272AF90D6F7ED9DDD30401E,SHA256=89579580CFDFFA0704518E1ADB2784DF68E9EB908E378130211C7A7F808AFC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:19.799{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E253735068BD6A511502CE8376FAE,SHA256=A9E21B3F65499F76ACABDC4395F99EBAC662CC9413221060AE3DE5F38FC39B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:20.893{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FAD590DF134BB470D6FAA75A34E41F,SHA256=4A6D2F08B914CE425BFF401DACBD21AB184C7DC9EBE08C68FC62EA1B3F7A7C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:21.986{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9C20595A2EC25A32A949DCFFE6DF1B,SHA256=087BCDF58F5D1060B2A06A663EC027633CD1D6F586F3139ECF679DB2E2AE3BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:18.754{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51791-false10.0.1.12-8000- 23542300x800000000000000090800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:21.080{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D799B10F021068315EEAACEA5F3A39F,SHA256=8D68A668BC3DA95044AB52D7BB3C27BDD9B49070FE82ACE84A32ED53560CAF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:22.173{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2248EB1965AFA3A7C0835ED50CE809B,SHA256=578F32743DEDCFC653DBAC886F4DDC96AF857E3A91159D88ED72DA3FE503D612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:23.470{9531C931-5194-623C-9505-000000004302}5852WIN-HOST-TCONTR\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:23.267{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0C5D676B11946E814D7E0C09BF1FC1,SHA256=93A6FB76915934FCAE26AE1F2C874C893B48CC4903F5DF9BE5A61F4FB159B9FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.361{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-284E-623C-0100-000000004202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000121343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.252{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.252{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.080{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E3479D6B7E48CCFD856C501641A82B,SHA256=A5ACE06EDE187B69A49171257BF70D1CCB88AF962A94B684B8E48F07354BF7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:24.361{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE747D287C9C7C84E448B4D3157EA50,SHA256=C55E82027CA1A2B94A31F87260F93265FA8CA9B9C491A9E21562D3002C0CFAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.118{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63426-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000121351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.015{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63425-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.015{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63425-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.008{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63424-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.008{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63424-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000121347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:24.299{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1554D2C5B856E7659455E3607111DAD,SHA256=96748B3CE81E8CAC2561DEEE62C2B15EFF38884DDBBF2EE3701E3BC812C0BDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:24.174{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0999E916F5244AFAB1961288F767B3,SHA256=365FE05053A11263E4989EAC710EBDD85F493F79427ABC0150F7C5465ACECA67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:21.802{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:25.673{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5A5146640425021583D4A43C46D50241,SHA256=B9342AA355841481BCFBCB3CF348375C4775D540F080C57DEBE448CF0ED1626E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:25.455{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADAD0A85F4433CD5FDE96C1818515C0,SHA256=D6A1E854320DC5EDE742E098891342B01985507451C0510E1B7795A664D7A9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:25.268{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D82118F238A556AB267496C74E151,SHA256=CA1C55BE6FC6AE231ED9B2281D0FA2302A66E5928CBFE83D00321F7FFE87A2C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:23.118{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63426-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 23542300x800000000000000090813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:26.564{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD1A2E28BF66BB7040ED5B290BF2339,SHA256=119421E620602B0C94BB3CB894C9D1D15DDE6B8C62F8DFB46F0326A2A71A34F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:26.550{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:26.550{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:26.550{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:26.533{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:26.361{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15062C4EEC20886509BEA42C6070F495,SHA256=8CAC5160C4348BC13068676ECA1E28B8048A7DE06CA9B5F66AD584C3F0678DBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:24.582{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51792-false10.0.1.12-8000- 23542300x800000000000000090814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:27.548{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB183B3D1DE29EF680B30532894F3174,SHA256=7565BF084A47D572E7FC565909EBA4C79AB50A4EEF92FA779F765D74EA4D4305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:27.455{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7217E78B7AEF11D7D417170F7F37A6A,SHA256=D8B0B31FBA68C5FD41B03A935ADE0CFB807DFAAE0881D3E31EFABE0D85F13787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:28.642{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E610FA0354526C93468D6323F2689BA2,SHA256=A2B870F3A758D69145F3771126BF3E3B4ADF91E096324518B2DE1902BA2FEB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:28.549{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A9421F0BC3DD795B214D6D1A38FA9C,SHA256=D685C3E74B910D587DD1C79F8A16086D13BDB6732255BA6D0A15F39246C1C70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:29.643{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD73A8F5A1E3928CBCE25A6E732D56E4,SHA256=8F530BD818835D73FA890A6821B44DC5E13A644DF0EFC4D40538D0181F1F268C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.783{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.783{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.783{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.767{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.751{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFB7E973AA92D56CA7C93D411A57882,SHA256=FEB40C23F3B6CC5B196C8D9EF9AAC687E54654C87F6850DE922E19332D19CB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.705{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.533{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.533{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.533{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.533{9531C931-513E-623C-6505-000000004302}35881252C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.518{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.518{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.518{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.518{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.455{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.439{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.408{9531C931-51A5-623C-9805-000000004302}5843764C:\Windows\system32\conhost.exe{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.345{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.330{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+20f400|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+159d80|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+158aa6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000090816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.333{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000121358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:26.849{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:30.736{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D75D3F2548CC27D27AF054264D6571,SHA256=2A353034523A761D6BF118F267F14FE5028125F7277EB42BABDD5132D545613F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:30.736{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C25809754F1BC04D5B85FF568840543,SHA256=BB2F7B319D83D3E915C741E9BC958AD19A16A16F52F9859C8C4DBB89EA0A457E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:30.361{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7980AE124F9BE772BC711A33304950F9,SHA256=6BC65C20AEE58EC5764E32A5021B3C756D244FCDCDA185EE3F2ACA1A895B4122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:31.830{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4681E1F3165805B9958B311E08FBD03A,SHA256=16B648A3305A35271FEBFCE80FEE506EC554E53098A9D331096084AB2D3FF390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:31.830{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0294A41603760849826B5D898E3427,SHA256=B2D8ECC1529EF12704491EBAB49E03E0EDB75A9092DC73B98C28A14F5D87D69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:31.673{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:32.924{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A537646EF3408FCD56F2A063E998269,SHA256=F1BD8BBB02EFADAEFFB7A329315A26EE49D290F54513984511A2EBAA09885616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:32.923{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0FB5BCF38ABA95F1B303857822FBA1,SHA256=E73C3C54154378AB5E642F81ADD8775E509AB3427E05391AB2A91DE92F2003EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:29.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51793-false10.0.1.12-8000- 354300x800000000000000090847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:31.208{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51794-false10.0.1.12-8089- 23542300x8000000000000000121363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:34.018{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D179F2F12AF29FBEA7BAD5A6E00D0270,SHA256=544798E1B063BC30F076842214F51AD7D1B5B00C565C3FB6D8BB45FACD296C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:34.017{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB5CD09DEF68F67CF5B7B2E494A39CE,SHA256=5B728206A321934A13719714BD82A046C5E9AE8D1D68EEE814AB6F71A83EEFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:35.658{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5B189C3DBFCACC02CFD8C4436ABAECFC,SHA256=962C5743E649585BDEC7E01516427DBFBA60391DA59E531D69DAF7FAB6AE7FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:35.455{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17114499F5B2043DBBE1374477760334,SHA256=EFE5EF0D895697A1BED4714014CAD05F15724C0F3B6B3DBDD7A2FFF564ECDB41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:32.864{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:35.111{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78902421DBB5D774098698B6BEF4B9D5,SHA256=348EFD4BB1FA303DF693C5BB9E350A0D550968522ED1663840343076C4DA23E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:35.111{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072E0D2DC7983993E4B2C6118AF94F51,SHA256=A4BFF17ECA71D22F74E7CE76210BC71D0A204A4EAEF78A932F98765F44953C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:36.205{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A122C7B44BA0F6173E84C4F1F00ABE6,SHA256=6B1C8A83189CBB3FE2B175EB3155B6519FC64602AAC0E75B454650E9F49BCA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:36.224{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5A320EFD6BE0EC04BEE9D0E5B4098D,SHA256=6689FF8417AF902811DB480036F04A80752AD0A9290ADE0082844341DB0B3012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.757{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.757{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.757{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.741{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.741{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.741{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.741{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51A5-623C-9805-000000004302}584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000090862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:35.679{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51795-false10.0.1.12-8000- 10341000x800000000000000090861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.459{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000090860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.459{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000090859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.319{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FE3CE0D429D77689287BEA5681C021,SHA256=D893F5545D485FEE4AD3582C8FF4B9E3580E7D3ABDB518075EE7B9DA2FE953AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:37.303{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED62CCA7418F76D62A30129F14E3FF93,SHA256=5D1CAE63B7830E58FB6CBADFC377602D7BA29D8677DCEE0AD89388DFA5A1D8FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.225{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.225{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.209{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.194{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.194{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.194{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-51AD-623C-9905-000000004302}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.178{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000090851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:37.178{9531C931-513E-623C-6505-000000004302}35885628C:\Windows\Explorer.EXE{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c905d|C:\Windows\System32\SHELL32.dll+2839ce|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000090879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-51A5-623C-9805-000000004302}5843764C:\Windows\system32\conhost.exe{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.866{9531C931-51A5-623C-9705-000000004302}59886060C:\Windows\system32\cmd.exe{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.830{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{9531C931-51A5-623C-9705-000000004302}5988C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000090871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.412{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915ECB5D4A232959809525180005E035,SHA256=D6D5E900747868EF29C3F0D634F32DC0491839A83F53C1C58C307EAD51CD99EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:38.959{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:38.396{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCE2B5EF0F594F7FF548D67B01DA9E9,SHA256=DBC4C3A353DCCACD0591A73A87F70888DD689658C7C8F9C1252FF2BFA36787FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:38.256{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BC6215747DD5B84D6EC1470AE2A3F73,SHA256=3D6BA97CD6B0FDCB4551D17054E1D0A93C18E6D302D07EEEA97D0120ED73E1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:39.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05113824C0207D3981D8A5A43C720C81,SHA256=781039F2F065A34BF5D1357E3C1739EAE516225DD375966D2C8540ACEB83946F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:39.490{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F6B6EE8E652DB39FA15ADE70BE976A,SHA256=B562401277B3A266A585C70E5A06E5B5260C0045C12D6EA69B2884D92F3E5619,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=8BBF730054C1B1262A9148F87A46CE645EAEBE317D472FDF18F3F63A70E079E9 13241300x800000000000000090892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000090891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-9712022-03-24 11:10:39.209C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=8BBF730054C1B1262A9148F87A46CE645EAEBE317D472FDF18F3F63A70E079E9 13241300x800000000000000090890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000090889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000090888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000090887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000090886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000090885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000090884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000090883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000090882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000090881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteValue2022-03-24 11:10:39.209{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000090880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:39.209{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51AE-623C-9A05-000000004302}6108C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:39.224{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8C9E4A834DBCD90EF24449A1290C817C,SHA256=86882E1C824DF4FB806F40023E4525B37F147D33672F220D101FB7ADCE93C1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:40.584{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B5BE0C5D347EAB550FD69A5BF046E7,SHA256=F2BB83F2A3DB62D2036E72FA8DB6759747CF22FEBEF404084CD8FA02F24976D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:40.600{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E64697D534C32317DC3885A4D93E7AD,SHA256=1731FCBE8551F0D5C1B9E9633CD27C5151182934EFEB42F8813ECF1E22BFC295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:40.037{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D6A478F2A52B3B56A0F35573CEFEE213,SHA256=3E4B7306DA90A78A0BDC763D512BF3C35A3BF7B4420C356E4C025F3FD9503EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:41.928{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:41.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF43FDD415ABE526661CCB82D9EB227,SHA256=C6EFB6A21F396D4BFD447049B53E880473C7CB2ED0F1C366E9658F1AE560ABDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:38.805{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000090897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:41.694{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD23566E2DF430C2A788CAF9844B60E9,SHA256=CFD890E97DC114A479BEEBC0C24CBE8BC3F5E3E888B81E8F17AAD89B47F9E310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:42.662{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994A792F80EEF7397E566BA91B2373AB,SHA256=E4D2917CA538040A76CE0DD7C3F92A876D5F9A075400E2D604333488E3BB05E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:40.806{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51796-false10.0.1.12-8000- 23542300x800000000000000090898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:42.787{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF251AB6D38E9CF81E650DBDBFAC615,SHA256=B1A95D7E5FEF759F8DD40E995AB56C6E1318509EEF22C58FE8B7C24264D5C855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:42.334{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:43.756{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EDAEBCD0ECEE5BBC2A93A7BFD3CEF2,SHA256=8C8509C0CFD01E5C4D82377A7097EADA873551281FB7AB95466A36ECEE7D2568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.881{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245684E1A41FDDD340F8A23F249A1532,SHA256=D34ACABDBEAA120FE0B53B67980B34A2A0392A50168EEE29A155207EBC790C8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:43.459{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:44.849{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B789FFB907C4DD5B673C9CF215B0F853,SHA256=36A7F5D0228ADF527D3C939E2E70FB419DEE68558E7264711C74B04DFE9875B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.991{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.975{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884256C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884256C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884256C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884256C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.944{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.928{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.928{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.913{9531C931-51B4-623C-9C05-000000004302}56965832C:\Windows\system32\conhost.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.897{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-1100-000000004302}9325700C:\Windows\System32\svchost.exe{9531C931-51B4-623C-9C05-000000004302}5696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:41.665{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000090918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-1100-000000004302}9325700C:\Windows\System32\svchost.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000090917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971InvDBSetValue2022-03-24 11:10:44.881{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero_s.exeBinary Data 10341000x800000000000000090916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-1100-000000004302}9321612C:\Windows\System32\svchost.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-1100-000000004302}9321612C:\Windows\System32\svchost.exe{9531C931-513E-623C-6505-000000004302}3588C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.881{9531C931-513E-623C-6505-000000004302}35885724C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.865{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe-----"C:\Temp\doublezero_s.exe" C:\Temp\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000121383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:45.943{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD94BAB5021E6B2F53D70EF54109501,SHA256=E68F4A559DE6159E790FBA6C079EA4B51714C8C9790AFC2D446F02E8ECFA5E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.975{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B05D303B7A542A55529CB236C3F188,SHA256=B9D73C60068EC579581A43B05FC94FDFFE3221AC345985047839DC126002A1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.928{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=33B2F391B3520C6D41149171C452B55C,SHA256=23632F6F9E0B3E6DA72A409EFA7B40E7154847BF160FBACE7D33177378365569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.866{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=287FA8FC5959A97E87C75D87CB659C8D,SHA256=C88893D4614B9000E1F81B714960BC1F175F4397671A71F58399C4D359F9F702,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.350{9531C931-513D-623C-5E05-000000004302}2412C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000090941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.373{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.350{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.350{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.147{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.006{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.006{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.006{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.006{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220D99C16364E725A6AB1E954011FF38,SHA256=870A5156F675A554C11A510E3FCFFE793312F1744A372CE95CE4446B32D9C3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:46.975{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7887346630654F722D2F6DDF8D68E7DB,SHA256=4B32C6CFF3604B7D0CDBCC59A88F014BB53C62507BD1386C353E73DE4D483FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.943{9531C931-2850-623C-0100-000000004302}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal137netbios-ns 354300x800000000000000090946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:44.943{9531C931-2850-623C-0100-000000004302}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000121386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:45.142{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR55044- 354300x8000000000000000121385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:45.138{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR56739- 354300x8000000000000000121384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:44.805{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000090950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:47.694{9531C931-286C-623C-0B00-000000004302}6284776C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000090949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:45.394{9531C931-51B4-623C-9B05-000000004302}5728_ldap._tcp.dc._msdcs.WIN-HOST-TCONTR9003-C:\Temp\doublezero_s.exe 23542300x8000000000000000121387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:47.037{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEAF101D7DAD616D3D2442229E3106F,SHA256=D987F1610DD9BC38823315CC170B300A8152D31C646D50185002292796E822CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:48.131{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7383E944D487ECA33586FCD5A4BF9147,SHA256=B1B6E5383E87D979FD647AAEA24C84BE7BFC04DB5213CC07F801DC4934B75ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:48.069{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44094FF9723E3E8772D3AD1C0DE77FA,SHA256=6E535B70951443E341B13C3D87212D02B3182817D70517B8CC6A64A0C006C273,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:47.449{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR52928- 354300x8000000000000000121390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:47.448{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR61149- 23542300x8000000000000000121389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:49.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24C9E7B4098D0BB03F91C2A65BF7ECF,SHA256=56FE9694224A6AC6AAFADB5AC65ECFA7BF5ADF41BC5D74A31B2C468A59C08936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:49.162{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D52ED37D964261D4309C26E7018381,SHA256=561FC7C53DC00E4E4C2CD19B43D3EB5611ACB363AD84144EC9F8147AACAFF1AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:46.571{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51797-false10.0.1.12-8000- 23542300x8000000000000000121392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:50.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231029B063C4E81CBE57FDC79358C4F2,SHA256=5DCA926A6F9CC473F5B1D72D50626FDC65D551956E3C9F4C2FE0C6D25FF49EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:50.256{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E289DA01AAC82B247081AA99B0BC2F2,SHA256=C442808470C9F75E2050A2C2CEB507F289142B90B73117FAD9842E3BF178074C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:51.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F60DD7F2DA1DF3C80ED82CC148F6DA,SHA256=26FDF66AC2CFF2609FD613C96F2CAD0A1257B5123D3A124B8ED108A926066CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:51.350{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4122AC571B09B64CB77627661B5527C,SHA256=B683361F9ADE341306FFF9A61049F9E776494CC124F669BA63ED2AA124B1A595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.874{9531C931-513C-623C-5805-000000004302}4162768C:\Windows\servicing\TrustedInstaller.exe{9531C931-513C-623C-5A05-000000004302}2984C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5001_none_7f26fe1021d6779b\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+52f08|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.824{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.824{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.824{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51BC-623C-9F05-000000004302}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-51BC-623C-9F05-000000004302}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.762{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51BC-623C-9F05-000000004302}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.763{9531C931-51BC-623C-9F05-000000004302}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.730{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.730{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.730{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.730{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-51BC-623C-9E05-000000004302}6024C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.574{9531C931-513E-623C-6505-000000004302}35885012C:\Windows\Explorer.EXE{9531C931-51BC-623C-9E05-000000004302}6024C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000090965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.576{9531C931-51BC-623C-9E05-000000004302}6024C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\terraform_376750791.cmd"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000090964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B08C0DE40EBBF4E85CEA93B4DF4FF46,SHA256=37EF3A97144CE394A0EAD093F7C803ACF2FB42109B4263C8973E8F6A8B4B168E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:50.821{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:52.506{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C6709058D0F5B22CF0690A30F702A,SHA256=3DC3FAAED090D85069453168754C713F9BE2D85C7056D45CDDB2B64F99DB880F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51BC-623C-9D05-000000004302}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51BC-623C-9D05-000000004302}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.147{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51BC-623C-9D05-000000004302}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:52.148{9531C931-51BC-623C-9D05-000000004302}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.887{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC221C2503D8CB0A29C63A9DCB7B095,SHA256=2539D4FC207BC02562F25E80D1D3449904EBC75C14472AA448C7414EAB2F0E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:53.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC1F0E30C8E94FBDA6B150DEE4DB3E1,SHA256=7FD38F08C793A89685A149E18F413A563FAD448C20C58EEC45BEB58A2435BA65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.402{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.402{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.402{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.387{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.387{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.387{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-51BD-623C-A005-000000004302}4192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.230{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBAE6F8A2FF28E170115431B36487955,SHA256=0C978DA8C5204420029D67668E0996A03F097DE206C6A8B0BC606A05C785D734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:53.012{9531C931-51BC-623C-9F05-000000004302}46885340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:54.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BD88B7D9B63A268F3DC46AFDBE1850,SHA256=AE7736990B6A626AB6FD57590FBDD341F7FDC04992A138C5877FA44E374CFE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:51.665{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51798-false10.0.1.12-8000- 23542300x800000000000000090997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:54.027{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C90EF4D31AD8A8A572F92841D26D3EB,SHA256=EE7909C59F7E669D4E9A0CB5FD5F9558020F7D8EC986EF68A71075043E8B22EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:55.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175BE857FC70701109224FAFF59315E7,SHA256=DA4F8BC24C88F06995F112DF578D16143E8B47F98D44F6F7A5E2AF998BDDE175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51BF-623C-A205-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51BF-623C-A205-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51BF-623C-A205-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.934{9531C931-51BF-623C-A205-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.546{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.546{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.528{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.528{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2400-000000004302}1140C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51BF-623C-A105-000000004302}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51BF-623C-A105-000000004302}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.027{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51BF-623C-A105-000000004302}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.028{9531C931-51BF-623C-A105-000000004302}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000091000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:55.012{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2649607071477BC75293FE7E83AC64D,SHA256=DC0484068DEF7DCA7D9AF113A9E6C619041B682B48B155760FD820245C70854A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:54.996{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=99E8D41B77E85CAA7FCF6C070956EFD4,SHA256=3BAED53A5D8ECB7BFED512CAF87D86BC438557546E0A0EDDF36D947A64C5905D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:52.822{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64465- 23542300x8000000000000000121400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:56.882{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D81649D8E01FD9CBA2A4E5CEC2495F,SHA256=9D626A5F378952585CE2AF9151B928B2AB59E68EB4B5DDAFD9274F82ED88E21D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.959{9531C931-51C0-623C-A305-000000004302}44884492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51C0-623C-A305-000000004302}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-51C0-623C-A305-000000004302}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51C0-623C-A305-000000004302}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.553{9531C931-51C0-623C-A305-000000004302}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.402{9531C931-51BF-623C-A205-000000004302}1420172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.043{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64F5581EF48F18B3207EBD7AE5EF23B,SHA256=B1D715676D7556C99255AECA0624C4BB3732000757035D74E0435318565DBA43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:56.027{9531C931-513D-623C-5D05-000000004302}9923980C:\Windows\system32\sihost.exe{9531C931-286D-623C-1100-000000004302}932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:57.975{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E53C75F6A3F1F19550C3956D4D8D50C,SHA256=AA2DE3FA7E075D277CC77CAAEEAB7596730B13AD457F691B972C49EED546CB49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.662{9531C931-51C1-623C-A505-000000004302}2824356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51C1-623C-A505-000000004302}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51C1-623C-A505-000000004302}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.444{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51C1-623C-A505-000000004302}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.445{9531C931-51C1-623C-A505-000000004302}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.179{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.179{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.179{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.162{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.162{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.162{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.162{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-5194-623C-9505-000000004302}5852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.131{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DDC056D6A605E0709CBB273BBB66C7,SHA256=9A76A06AE578EB8BE083BF8E3473B012D5475AF68EB09AD32DD1AC7F1D731563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-5139-623C-5205-000000004302}15401844C:\Windows\system32\csrss.exe{9531C931-51C1-623C-A405-000000004302}4024C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.084{9531C931-513E-623C-6505-000000004302}35885012C:\Windows\Explorer.EXE{9531C931-51C1-623C-A405-000000004302}4024C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000091033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.086{9531C931-51C1-623C-A405-000000004302}4024C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\doublezerodestructor.zip"C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-513B-623C-21B3-330000000000}0x33b3212HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{9531C931-513E-623C-6505-000000004302}3588C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000121429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:58.960{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.834{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=F4FA8FF8274433093A96D3C38BA006DF,SHA256=FD19F4A674118776D4835C457B636AA10A76D01E06329564581D3A37D86DC9B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.804{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000091060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.804{9531C931-286D-623C-0C00-000000004302}7202312C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000091059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.804{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5148-623C-7705-000000004302}4308C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000091058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.804{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-5149-623C-7A05-000000004302}4508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000091057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:58.162{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08E8FCD0AD7597D2B48C39C6630903B,SHA256=3627DF2DADF40498A5FF24B8A8F68B1BF85A29A26D4B25AA3FED5FA2C915372C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.490{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-51C3-623C-A605-000000004302}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-51C3-623C-A605-000000004302}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.475{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-51C3-623C-A605-000000004302}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.320{9531C931-51C3-623C-A605-000000004302}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000091063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:59.272{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49480F2B75450572038E306E4D4B7BB4,SHA256=2252DF631E9E928F5DDF1C9C4956DBF397AA930C4CFBD339F217FE1CC5067B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:59.569{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04557943ED973FAE1D1E985C2E408B31,SHA256=A6D6C53EA0B7935D34E6F07C43DB309D1FA9C75D9F39E61AF6F4462F9120077E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:10:55.852{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000091074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:00.381{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582E2324F64C4C73761B0DE9A9197C2F,SHA256=FF3FE0CF8959C72375E17EFA07039EDA37A4BD63DA0B8A2AC930758ED00FDF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:00.365{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1E316ED1DCCB9EB846FB9B9F63890AF,SHA256=9FF9E5A97806F4435F4A7F7E18B288E89824430F878210ABE97AEDC2ACA37C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:00.179{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EE9888D52B5F6EB7289DD22353753D,SHA256=5A5E0955EEF42F6EF9808FF2D0531C8840F047CA8FA06D02CE7AA07CEEB89B1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:10:57.603{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51799-false10.0.1.12-8000- 23542300x800000000000000091081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.475{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B60BC96AE630A59FCC9D5728EAA79D1,SHA256=FA18906F9889AEF30CD0CA4E03253C755EAF21278BC0984918788203572FE31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.365{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.365{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:01.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99918E95C9CEF5F2A09DCC63272EF379,SHA256=31918BCB89F6EC4C93A8A00D98DC53B149B9B66D92704CEEBEB0EFA6F93940AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.350{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.319{9531C931-5139-623C-5205-000000004302}15401684C:\Windows\system32\csrss.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.319{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:01.319{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-51C5-623C-A705-000000004302}3708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:02.459{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5BA4A791A4653EC637EF1B85F6D7D5,SHA256=7BE7DBEDD41DA13CBE8C00BDF0B40E44CF900BA9BAD94E135725B90FFB3AF31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51C6-623C-FC05-000000004202}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-51C6-623C-FC05-000000004202}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.475{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51C6-623C-FC05-000000004202}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.476{5F3DCEF0-51C6-623C-FC05-000000004202}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:02.366{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71944C00B8958446AA9E7C0000591EDD,SHA256=2ECC8694DBAAD5D5497AC07479776676B43BC07945A523190D85C6750CD8E7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:03.569{9531C931-513E-623C-6505-000000004302}3588WIN-HOST-TCONTR\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=201D51EEE54B2BA32F74ADD5E4AC6D61,SHA256=D0AE1D0D96D1804666FAD66887EF343084004E06A3C38B73EFD509A5AEBDCC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:03.553{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDCF5706BC49ACF7D12493459C600E3,SHA256=4A7EC8AEAAD2E3A40340172B8E4CD7BE516CDAED896048B70F6E122334A31F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.569{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE41B57062EC7B198C2380E20231403,SHA256=7983B6922B2A2A1F7B7A821719E5218546F169C62CD19C703764D5B6A93BCA58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51C7-623C-FD05-000000004202}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-51C7-623C-FD05-000000004202}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51C7-623C-FD05-000000004202}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.507{5F3DCEF0-51C7-623C-FD05-000000004202}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:03.460{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82ABF04C06A13D8D94AE1553605CBA2D,SHA256=03F408B19CD7FA8FDA59EDDE1488C551F65A562536DF7C507C7245E065DBCB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:03.231{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-171MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.554{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D9AED2F7344E82F7F1FEC98B3C26ED,SHA256=1CCE24A8C28B2ABEBEF955208763EBB61EF1806166576956091881DDCBF2D5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.842{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.dbMD5=379523B9F5D5B954E719B664846DBF8F,SHA256=3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.646{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB1969ADEFDF9A7D720BF1678A50720,SHA256=697E674F4D816334D118C508A2CE40AB740367894CA98BBDF94BE6601E1B9D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.630{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00A02E59\03_Music_rated_at_4_or_5_stars.wplMD5=6D791B697AF46D6777182AF7F18C2955,SHA256=4825EB90140F6B2F4F7ED0DF66B24E10FF5D0DA70AF53EA495FD30B3AA791870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.630{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\12_All_Video.wplMD5=372D0BEEBEA5460409A6A1C53AC52A18,SHA256=5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA2681065EEB37EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.614{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\09_Music_played_the_most.wplMD5=467E71AA2FD951EB0A1AF3D6BB8378E8,SHA256=A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.599{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0026B51E\08_Video_rated_at_4_or_5_stars.wplMD5=A3787A42B81FCE0E448976AD158EDD93,SHA256=94BC17AC59BDE92FBCA00FCC69AED68FCBFE2C1754DD45F4810765F5FDF774FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.583{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0026B51E\05_Pictures_taken_in_the_last_month.wplMD5=821D2BE672F05514127C117CEF460C6E,SHA256=3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.552{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\04_Music_played_in_the_last_month.wplMD5=F8D3A4CACF055F5EC5C62218EA50D290,SHA256=201F2170812CF8041964C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.536{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\01_Music_auto_rated_at_5_stars.wplMD5=3094088E14AFDC15D7427B093B8B7B17,SHA256=B2B5080D83A1853FBEC424E6B179B784C57716600E1B58DD8B2C5FEE0E098FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.536{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0004CFDF\10_All_Music.wplMD5=51AEED11707741118E0706C1259DF22E,SHA256=EC286113E5AD77AC34063589A137A6DC4B4CAB8845CD9C5386519983FA3B48F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.521{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00044FE1\09_Music_played_the_most.wplMD5=467E71AA2FD951EB0A1AF3D6BB8378E8,SHA256=A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.505{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00044FE1\06_Pictures_rated_4_or_5_stars.wplMD5=0A8A40CA87323DC16893194B00C7FE77,SHA256=9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.489{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\05_Pictures_taken_in_the_last_month.wplMD5=821D2BE672F05514127C117CEF460C6E,SHA256=3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.489{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\02_Music_added_in_the_last_month.wplMD5=907BFC98CE854AE312127C952D8BE0F2,SHA256=C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.474{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xmlMD5=0E261912C7370A9A10E9754FE2C31E51,SHA256=202B2AE4539654F844D7E5BD0EB02385BBE312DFEF3BE5A48769498C9702102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.474{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=E80940BFCC2409737A477BFA66227BBF,SHA256=3FC8FD83F4B67960D8C918C4787D230A98BD2C3AB633B06F39EB2C7FD7532666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.474{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\E80940BFCC2409737A477BFA66227BBF3FC8FD83F4B67960D8C918C4787D230A98BD2C3AB633B06F39EB2C7FD753266600000000000000000000000000000000.txt2022-03-24 11:11:04.474 23542300x800000000000000091086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.226{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.366{5F3DCEF0-51C8-623C-FE05-000000004202}87052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:01.868{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000121460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51C8-623C-FE05-000000004202}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-51C8-623C-FE05-000000004202}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51C8-623C-FE05-000000004202}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:04.179{5F3DCEF0-51C8-623C-FE05-000000004202}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:05.944{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C41ABB6DFC71FEE42937092BD0B4BEB,SHA256=D3E1094445CA88F7DD430BD061C89D675E44C18B6D75600610A35F96D6997E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:05.663{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A084A897F27F7D92BE9993259996555,SHA256=112DD1E50C798BCF3CE166AEED43AF17C51A08601956A3C2FF41E19A4FE88F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.983{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.iniMD5=42D1770E232A5D25EA2C08E4EABF7E41,SHA256=CCED29BCEDE7E70AED3CA67BFD91BB704D1D5565E01DD48C37F3EF2045C198E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.967{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrsMD5=59071590099D21DD439896592338BF95,SHA256=07854D2FEF297A06BA81685E660C332DE36D5D18D546927D30DAAD6D7FDA1541,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.764{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.chkMD5=38376CD60204A05A0D9ADE5A26E8FF9B,SHA256=B574BB08711598E624990B9761C7F9C01D3C599079B5CD2407C8B4E0429C3B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.639{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B170FD245561DDB6BFAD51340EF1A,SHA256=B8F4AC65D8C7C49A304DEEF439F8F9DF53EB28D8F8CE841D83AF90394C39CDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.639{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edbMD5=117366841ED1DD6FDBF0799A58B5C733,SHA256=3E2C6F88348BE3371F27A1FA3D47D6D8C8CFFA54C8C2F53D24D4EC7B0FE8BCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.389{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb.chkMD5=755A84D0130D4597684E8422331BAE7E,SHA256=2F55CF67DB6A21DF868CB79513799A862CEA3EC4F24DF5CF2FD46B23F16FC769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.389{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PRICache\930680240\4166858746.priMD5=2FD5C39E4C8980F734130B7BA400B58E,SHA256=2D2C734A54857EFE48D646020AB36A503E48B74289949EE7B93028DE3036021E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:02.743{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51800-false10.0.1.12-8000- 23542300x800000000000000091106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.045{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PRICache\365841599\3552316019.priMD5=0833230F0BEA8645D7A38B877AD237DD,SHA256=4AAB33FFE7E67EEF4675CE1496F462CB3F7288EC7882C6AD3661C5C28B72B316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:05.014{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.dbMD5=5F243BF7CC0A348B6D31460A91173E71,SHA256=1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:04.842{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.dbMD5=2DD3F3C33E7100EC0D4DBBCA9774B044,SHA256=5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.873{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\PRICache\3233787209\3990556640.priMD5=4A072CE3A865A044BA7C42CB95D2B929,SHA256=08F0CBCF6D13F332A797867BF7093CF6BFD57AAC1B69AF96388D3F442F32E00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.764{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE7273EE69C2D69107AF276EEA9DECE,SHA256=A668477C46E5A4F77A38550103421D5C53B282BE161CF67BFA333698B9E1D36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.670{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.dbMD5=5F243BF7CC0A348B6D31460A91173E71,SHA256=1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.670{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.dbMD5=AE6FBDED57F9F7D048B95468DDEE47CA,SHA256=D3C9D1FF7B54B653C6A1125CAC49F52070338A2DD271817BBA8853E99C0F33A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.655{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.dbMD5=2DD3F3C33E7100EC0D4DBBCA9774B044,SHA256=5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:06.757{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F099A69430B73F8F4F489F000E2DFF0,SHA256=8426A25CCEC18DFA9827707E51653006BD419AD93818D76E11C05C5AFFAF9103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.467{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.452{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat{7ad6e536-94d6-11e6-a93d-0e8379924a6a}.TM.blfMD5=1A93907361770067D0FDC96F3EBA2E2B,SHA256=F0410826E185ED031F39B748A33C172695D0D8B48B357B0CCD8EB1F4E2AADDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.202{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\04_Music_played_in_the_last_month.wplMD5=F8D3A4CACF055F5EC5C62218EA50D290,SHA256=201F2170812CF8041964C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.202{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\01_Music_auto_rated_at_5_stars.wplMD5=3094088E14AFDC15D7427B093B8B7B17,SHA256=B2B5080D83A1853FBEC424E6B179B784C57716600E1B58DD8B2C5FEE0E098FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.170{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\12_All_Video.wplMD5=372D0BEEBEA5460409A6A1C53AC52A18,SHA256=5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA2681065EEB37EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.170{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\09_Music_played_the_most.wplMD5=467E71AA2FD951EB0A1AF3D6BB8378E8,SHA256=A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.155{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\06_Pictures_rated_4_or_5_stars.wplMD5=0A8A40CA87323DC16893194B00C7FE77,SHA256=9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.124{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0004CFDF\05_Pictures_taken_in_the_last_month.wplMD5=821D2BE672F05514127C117CEF460C6E,SHA256=3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.124{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0004CFDF\02_Music_added_in_the_last_month.wplMD5=907BFC98CE854AE312127C952D8BE0F2,SHA256=C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.092{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00044FE1\01_Music_auto_rated_at_5_stars.wplMD5=3094088E14AFDC15D7427B093B8B7B17,SHA256=B2B5080D83A1853FBEC424E6B179B784C57716600E1B58DD8B2C5FEE0E098FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.076{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\10_All_Music.wplMD5=51AEED11707741118E0706C1259DF22E,SHA256=EC286113E5AD77AC34063589A137A6DC4B4CAB8845CD9C5386519983FA3B48F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.061{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\07_TV_recorded_in_the_last_week.wplMD5=B9987B1F9DF6D0AFC01558B907E62A16,SHA256=0892EFDB8459D81D4C5E1085239734D9910B9C6A1DEBD7189CF385141F0B19D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.045{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNKMD5=CB97B848ABCB6376D491AC6BD9CBEADD,SHA256=D6369598C0846422DF1F6E1029041784E34D3B6FCC12A3BA0FC1613A0F80530A,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.045{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-msMD5=32CA18808933AA12E979375D07048A11,SHA256=A11937F356A9B0BA592C82F5290BAC8016CB33A3F9BC68D3490147C158EBB10D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.030{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-msMD5=B4202F7FE985B9648B4676E6F70832BD,SHA256=6CF1B57D59E7111BC218DFB01DDA93AC0F776715599A1C69F89035BD20C16A10,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.030{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Uninstall a program.lnkMD5=D26937A0A615266CCD9FB199E7FB7FB9,SHA256=5C55C8F4DB4010BA9203D83536D0609856AF8C847AC039E37E7DDE8FBD574B61,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.030{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2214540325-3392803530-572759246-500\5e4d4ef5-b569-45f7-8b3d-074895ba52c9MD5=1D26FE44B47D556330EE99F531E04BD4,SHA256=9E9407D440C27333BF1A756EAEF644B9BBDD9E9682F7BB006E67D5CC47099A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.014{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniMD5=DEE294828EE7536D2F8C97BD714C8AF8,SHA256=BE29918EBC9503393EB28C8BF2026D8E240F08A087B1B6597F55E1D49A4B652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.014{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnkMD5=0557B4FF52AC8E9DA80A9721C0F26F84,SHA256=3E884973BE3FC887CED96AE9C99CEB197A776CEE319981DD2217C98F4953D83F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:06.014{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\0557B4FF52AC8E9DA80A9721C0F26F843E884973BE3FC887CED96AE9C99CEB197A776CEE319981DD2217C98F4953D83F00000000000000000000000000000000.lnk2022-03-24 11:11:06.014 23542300x800000000000000091155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.764{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD2D12A5E130ADFE9297C3E8D95652,SHA256=F0E574CF100894FE52CFC0EDE1D0FC9EB2D02A479558755353F8DA4F2714DA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.701{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.iniMD5=36AB5BBC84127288A4BFBAB259005F93,SHA256=1A0295F4BF5986C5F74ECA9153A6A4CB10B073A01A76BA4A457FD862C78966A4,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.686{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\WindowsUpdate.lnkMD5=1DD69F505B6B0A993B58A03AE51ADA0C,SHA256=5417E37B4A73462D656A176287E1321045E8D51C31732334758421AE5913E98F,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.686{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AWS.EC2.WindowsUpdate.lnkMD5=F402A136056A501E0EC806F3106C9364,SHA256=19061F73EB6658EAE8440C884340738862B2D2E89DFC3B7642DE20013434982C,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000091151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.686{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-msMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.850{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5842609A6777046641E710CA7C964E75,SHA256=349AD799FDBDA218BFCCBC8AED80EAB26B5280A4F3FCFCA95B799223D59C7B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.670{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.670{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (4).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.670{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\F727CBB9351106B2DD46F3EF649F3176CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B500000000000000000000000000000000.lnk2022-03-24 11:11:07.670 23542300x800000000000000091147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.655{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnkMD5=82AC56D8569B139877BA2E6746F62AD4,SHA256=D65A5212ED648A8B8B2A82807DD4A444C3D7C18E81D5A7493AD7ECA8E52A36FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.655{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\82AC56D8569B139877BA2E6746F62AD4D65A5212ED648A8B8B2A82807DD4A444C3D7C18E81D5A7493AD7ECA8E52A36FB00000000000000000000000000000000.lnk2022-03-24 11:11:07.655 23542300x800000000000000091145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.655{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnkMD5=C17A68B75F528C05F77D35276EE593D7,SHA256=D3F75300B0FB4B87609CF2259A5EE4DAC769918ABC70F93BD6B2192BA2EFE95B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.655{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\C17A68B75F528C05F77D35276EE593D7D3F75300B0FB4B87609CF2259A5EE4DAC769918ABC70F93BD6B2192BA2EFE95B00000000000000000000000000000000.lnk2022-03-24 11:11:07.655 23542300x800000000000000091143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.639{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnkMD5=4E6842A775723CA8FC07E1071A27A0DF,SHA256=4C7B83744027FB666849C6AFC524732C1E885D403B0338EAE4F7FBD7921137BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.639{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\4E6842A775723CA8FC07E1071A27A0DF4C7B83744027FB666849C6AFC524732C1E885D403B0338EAE4F7FBD7921137BF00000000000000000000000000000000.lnk2022-03-24 11:11:07.639 23542300x800000000000000091141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.608{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\WebCache\V0100005.logMD5=5FFB9BF17F74ABE7333B2E6DAD568FCA,SHA256=9C531F7C4771E289FB08DFC17788578F537EE2E40EE30BB174D83840A3D8FA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:07.155{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Users\Default\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb.logMD5=226338E3C4E47D1DD13E346231B53AAC,SHA256=DAD5D452E8CCE79150D0597C524B99AAB151C5EC50A5D5AF16DDE2E8D46D801B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:05.947{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63435-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:05.947{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63435-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000121475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.241{5F3DCEF0-51CB-623C-FF05-000000004202}67446332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51CB-623C-FF05-000000004202}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-51CB-623C-FF05-000000004202}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.038{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51CB-623C-FF05-000000004202}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.039{5F3DCEF0-51CB-623C-FF05-000000004202}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.944{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD6D3F5BC5DEE356D36A838075215D2,SHA256=2F12FD801E5CF1F3472671B2A28382536AEB16C04C557BA780E6227112FE2471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51CC-623C-0106-000000004202}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-51CC-623C-0106-000000004202}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51CC-623C-0106-000000004202}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.929{5F3DCEF0-51CC-623C-0106-000000004202}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000091156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:08.748{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB054AE1E6D0DDC134F5AFD40953CE5,SHA256=5719272E1E5CDC0AAB46E097EA5EF8F1C537CA5EAD42678F077A0919A9809004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.444{5F3DCEF0-51CC-623C-0006-000000004202}70485672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51CC-623C-0006-000000004202}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-51CC-623C-0006-000000004202}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51CC-623C-0006-000000004202}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:08.257{5F3DCEF0-51CC-623C-0006-000000004202}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.983{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.967{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.952{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.952{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.952{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.936{9531C931-513D-623C-6005-000000004302}32162744C:\Windows\system32\taskhostw.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.920{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.920{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.920{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.920{9531C931-513E-623C-6505-000000004302}35884184C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.891{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DD405951A611A1E29265027A44DA8A3,SHA256=920BE5420D345A8C834659BD647C8EADEC24B6A4F29AB3536C169EF68492E3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.842{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4548EBE334A2A5AE564B05ECB121DB1B,SHA256=5451C3345D381553E511511EA40E541CFA66728EC4B8384E35ECFA42E7D2BD97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.600{5F3DCEF0-51CD-623C-0206-000000004202}57844676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000121506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:07.884{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000121505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-51CD-623C-0206-000000004202}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-51CD-623C-0206-000000004202}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.429{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-51CD-623C-0206-000000004202}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.430{5F3DCEF0-51CD-623C-0206-000000004202}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:09.366{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E1FAF16798B1F47E4C61675CB01586,SHA256=731DE914C572DC53E7FE75A292942292BC9C639C2A9B9673FF844A2A27CA3157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.701{9531C931-286E-623C-1400-000000004302}9522352C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.701{9531C931-286E-623C-1400-000000004302}9521104C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.670{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BF67F170FBA8EF7EB68516F808FFF96E,SHA256=927F1F086929E5E0B0D1368637393F1A280709F02877FF9C2DA9F2E3F7EFFBC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-5139-623C-5205-000000004302}15403348C:\Windows\system32\csrss.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.655{9531C931-5139-623C-5305-000000004302}38203156C:\Windows\system32\winlogon.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+47f89|C:\Windows\system32\winlogon.exe+47638|C:\Windows\system32\winlogon.exe+41f92|C:\Windows\system32\winlogon.exe+343d6|C:\Windows\system32\winlogon.exe+22b8e|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.660{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\System32\wlrmdr.exe10.0.14393.4169 (rs1_release.210107-1130)Windows logon reminderMicrosoft® Windows® Operating SystemMicrosoft CorporationWLRMNDR.EXE-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3C:\Windows\system32\WIN-HOST-TCONTR\Administrator{9531C931-0000-0000-21B3-330000000000}0x33b3212HighMD5=DF9B0FA86DD44537F0764C0B068C32FC,SHA256=E6F559A6A36C042826C9430B2D669A7FA4C3513159DA370B2CC258E13AF37591,IMPHASH=5A2DB772209CDAEB04D5A9F908EF5AD3{9531C931-5139-623C-5305-000000004302}3820C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000091159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.639{9531C931-51B4-623C-9B05-000000004302}57285620C:\Temp\doublezero_s.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c3566|UNKNOWN(00007FF93AB230F5) 10341000x800000000000000091158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.639{9531C931-51B4-623C-9B05-000000004302}57285620C:\Temp\doublezero_s.exe{9531C931-286C-623C-0B00-000000004302}628C:\Windows\system32\lsass.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+94a59f|UNKNOWN(00007FF93AB21EE7) 10341000x800000000000000091157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.639{9531C931-286C-623C-0B00-000000004302}6283668C:\Windows\system32\lsass.exe{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.983{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23339681784F871A1605520FADD383FD,SHA256=A2D1999C684F4F36B78975FED943C85C4BC9A2BB73072E894B82F7D5810880C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:10.054{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3C56556799D94742F1F9E199148627,SHA256=69F3373B4BCF2C25043E70CFD9B4524EDDA3F0A344EABB2CB1AAF2FC2A5908CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-286D-623C-0C00-000000004302}7202416C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:10.139{9531C931-513E-623C-6505-000000004302}35882724C:\Windows\Explorer.EXE{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.998{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:09.998{9531C931-286E-623C-1500-000000004302}10401516C:\Windows\system32\svchost.exe{9531C931-51CD-623C-A805-000000004302}2576C:\Windows\system32\wlrmdr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:11.147{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4964685B3BD489A810730BFA7F761770,SHA256=B6B9F206FB92132940AC8FDE47AA29B26249A6D5DB5994523C75E3D9B328B879,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:08.688{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51801-false10.0.1.12-8000- 23542300x8000000000000000121510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:12.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA013C56A302C1BAC9FBF864C1DC0D4,SHA256=A0290D35F494F013D06A4025E49810A89D1763E48B728BCBA1DA83D211A6CB43,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000091198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedDeleteKey2022-03-24 11:11:12.967{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\Configuration\Variables\FriendlyName 12241200x800000000000000091197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedDeleteKey2022-03-24 11:11:12.811{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKLM\System\CurrentControlSet\Control\Class\{4d36e96a-e325-11ce-bfc1-08002be10318}\Configuration\Variables\FriendlyName 12241200x800000000000000091196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteKey2022-03-24 11:11:12.326{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions 12241200x800000000000000091195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-DeleteKey2022-03-24 11:11:12.326{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached 12241200x800000000000000091194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1060,RunKeyDeleteKey2022-03-24 11:11:12.311{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run 23542300x800000000000000091193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:12.108{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34188ACDE8BA001BC80E94247609EF94,SHA256=C72D8F9256A8B3D698D8CC073BE76C6C5F608E6C8F843A8CDF6CFDFF564F816D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:13.335{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEBF2D639D66D4C45BEB7F34C6F7F84,SHA256=DD3304678C6ABC724D3AEFD2BE9B200B08F0FA3EF9B241E90B60837831409AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:13.201{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA4A9BACC8284A4E4834B049DE66EC9,SHA256=381C92FDE5BA6FE3CBE87A462771D683B221FA945551F4A16B2D5DF1435D0124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:14.429{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C175B42DF2FA112FC0DA8F068D374E36,SHA256=60524A470A3B392D9EBD6C7353ADAA4A4CCD175924A7D9582BF2C71A635A6DDE,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000091203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedDeleteKey2022-03-24 11:11:14.639{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKLM\System\CurrentControlSet\Control\Class\{6d807884-7d21-11cf-801c-08002be10318}\Configuration\Variables\FriendlyName 12241200x800000000000000091202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971T1176DeleteKey2022-03-24 11:11:14.623{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKU\S-1-5-21-2214540325-3392803530-572759246-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x800000000000000091201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971Context,DeviceConntectedOrUpdatedDeleteKey2022-03-24 11:11:14.545{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeHKLM\System\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}\Configuration\Variables\FriendlyName 23542300x800000000000000091200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:14.311{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7897439196AD9235BDB59CE3974D0D,SHA256=6B25F1C1B925614AC0A2473E395738E0B64F1600B2E44B99EF82027F0A9743E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:15.522{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C3F23E62242DC549DBA36C6503B357,SHA256=45931304C8F2FE96650E702A80FB21043AD036E638CA6B287AB27F6D569F9E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:15.907{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f3b28b2a9beb297391f67f2e4386f26e\mscorlib.ni.dllMD5=071BBA3F4791183CDF3CDE741690BE16,SHA256=D110EC54595D690E3CA3CF689FBB1602D39C3DFE78B5EBEB327D3F58AEC1344D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000091205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:11:15.889{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\071BBA3F4791183CDF3CDE741690BE16D110EC54595D690E3CA3CF689FBB1602D39C3DFE78B5EBEB327D3F58AEC1344D00000000000000000000000000000000.dll2022-03-24 11:11:15.889 23542300x800000000000000091204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:15.405{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4513F8D32BB5784860F68161A7F6D082,SHA256=D4F1FA829B2FDBF387CAB86F93C14FE793590F042B6CBA86608E61DFE4B0CDD6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000121521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:11:16.865{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 13241300x8000000000000000121520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:11:16.865{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Config SourceDWORD (0x00000001) 13241300x8000000000000000121519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:11:16.865{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E24E79DA-871C-4F1E-B921-5D1DF27ADC35.XML 10341000x8000000000000000121518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.849{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.849{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.615{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450606D9A7F19D30F8EC336E258AD0A6,SHA256=12C5DCA96C4BCA3545BFF91066BF209592A87DEC0552C6ADD555EE8FB3A59755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:13.868{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000091208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:13.705{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51802-false10.0.1.12-8000- 23542300x800000000000000091207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:16.420{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BDCD7D77D46912638EAB6C687286C2,SHA256=E5912D2D6F14880A8966972083426641B9518D5A1E4A574966FBA1AFA7AD5346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.355{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-171MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.707{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.707{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.707{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.692{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3ED2698AFEA20258431525CC8D15F0,SHA256=5D72B194734B7EE83548E9CF932512A1CAE2D95E574799A5F7EB8449F1C55468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:17.505{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF11D2299CA5F4476B01FB93C10CF7C0,SHA256=1995AD85EF18D6B002D716891FD69BCC9D90CD4A85970A7DDF68B622276ABFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.366{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.788{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5345AF478F97BB7BCA7ADE0FDD54BCA1,SHA256=A60297526731C58712C4641C690FDF43529CBB66D0D5732493F174905EA20A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.757{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96F4BD2210F1D67E1F145946D6FC31E4,SHA256=3B7E5EA70EA8371C9BA8CA85A136952E0558A63114DDFA875E3831E3199FAD61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.710{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.710{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:18.614{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C114D0183D73B5227F68F7BD9C9B6508,SHA256=FB5CE62E30B08681CE84433BE812B32E7A4035FD561F52F59C57CC9EDBF0B81A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.604{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63438-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 354300x8000000000000000121530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:16.604{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63438-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 10341000x8000000000000000121529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.554{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.554{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.554{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:18.474{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\79a81756b87fb2db49eea277a3c9a4df\System.ComponentModel.Composition.ni.dllMD5=BA2B1CE48669DF9CEFA1A50CE2B0EEA8,SHA256=63F5085B314A362E975A4C2B983F909D75FAEFA8C685C83AC867C9B12B7E208D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000091210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:11:18.474{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\BA2B1CE48669DF9CEFA1A50CE2B0EEA863F5085B314A362E975A4C2B983F909D75FAEFA8C685C83AC867C9B12B7E208D00000000000000000000000000000000.dll2022-03-24 11:11:18.474 23542300x8000000000000000121538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:19.773{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08578DABAF7B840A1D23DA9DCEF236D4,SHA256=D4D189399493834082336614192F86213CD68B4718CF29241F79D85847ABA959,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.459{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63439-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:17.459{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63439-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x800000000000000091215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:19.708{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC901A24B7B77D841F585A6EC844A63,SHA256=3A921517535E3F6D3A27875B4ACDC3C0649B62E10BAD9B86BE43CB526AAE75C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:19.146{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\e3156452049e0b72915714c0ee6dd8f4\System.DirectoryServices.Protocols.ni.dllMD5=C602BC6804F2F4D8759CC056A589E86A,SHA256=9A99BDB0F817E66DD28AE7244C1365F11BACF1B7C61272069284465C8A544DC2,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000091213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:11:19.146{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\C602BC6804F2F4D8759CC056A589E86A9A99BDB0F817E66DD28AE7244C1365F11BACF1B7C61272069284465C8A544DC200000000000000000000000000000000.dll2022-03-24 11:11:19.146 23542300x8000000000000000121541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:20.757{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E4B1789692BB2B9ADB9D703E707FFF,SHA256=2E2A2142E9F501FE9DBAF26AEB000DD3553C38783F4587E9A18A4CBA4D033B55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.306{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63440-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000121539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.306{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63440-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x800000000000000091216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:20.708{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785EB138D6D794410635B5159F76C948,SHA256=306D6923F30FFF368F283211139F7AC56BC4F3FC53BC427E55728D5520CF255F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:21.851{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557E4E103F7CC71EC70B2657974D3990,SHA256=AC38B3A33ABB25394990EB2B6FF09AC94946EDB9903E884CF4AF3097FC24C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:21.880{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026B6CCC7780D0E33ED5378DB404A799,SHA256=38D746607D8B6130461808D50155F09E45380B9B3C3AD0F8766351A8E18B9ED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:19.648{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51803-false10.0.1.12-8000- 354300x8000000000000000121542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:18.931{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:22.945{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99477D327B5F27A8565FC574BF12B2AF,SHA256=8BA69D0C4757C10B6C661EC497E4149C6F249529B34863A3AAAA2C35700DADBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:22.786{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68B391F12B1A93952DE919E144B7A07,SHA256=37557CA6440253A7782C121779B2C8D0A120B1B368C0D37D2E2EAB0813DCAF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:23.896{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56E231DCF62429CB51D21507E92DEA4,SHA256=8E63C9C99A6990255F9A86A914C117B4C58F771903BC70F372DD1BD8EA9ED990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:24.989{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BA17D0360DE2CF085FA02E56B2D6BE,SHA256=DC3ACFA68E87F86E14029731F8278750F701AD5E41B79118E4E065ACA48A2695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:24.038{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B372063B16F4D780C03B27B8FCC7F28C,SHA256=5FDF12D2779C5E8569D89E07D3CA74C6EC00332FDB45AE9BB2A697576A8B04FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:25.132{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7FCF1EA2510BA08A2D1ABDCCB7B154,SHA256=0E0FD8EF4DD6B6FB96CF99E1D5098BDB32A20164AF42001A7B40AF14461F16C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:25.693{9531C931-51B4-623C-9B05-000000004302}5728WIN-HOST-TCONTR\AdministratorC:\Temp\doublezero_s.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.AddIn\98a483139c9804405df2ea2697512d50\System.AddIn.ni.dllMD5=8B51ACCA03B454305CD9F624236878CC,SHA256=774DDFA916B458266CB50F5595582E21EE57A21E76201870B2C5298E9F051EBB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000091223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971DLL2022-03-24 11:11:25.693{9531C931-51B4-623C-9B05-000000004302}5728C:\Temp\doublezero_s.exeC:\Sysmon\8B51ACCA03B454305CD9F624236878CC774DDFA916B458266CB50F5595582E21EE57A21E76201870B2C5298E9F051EBB00000000000000000000000000000000.dll2022-03-24 11:11:25.693 23542300x800000000000000091222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:25.255{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D25BB1A40E0FE6200FA5BBC924C6B2D4,SHA256=8371A15B5D916C66275F2E0FFF4E768B9C8CAC878FA489EA0B422FAA411216F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:26.226{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AF565C946D414F4F9B7D8F9CE5C2E7,SHA256=078D13C2D8852EB9BFADCC082093375E42B82809561ED4792AFD23881CBC4FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:26.083{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF225D35DEF9AB3C2C9C3B0D7C47F1E6,SHA256=06C938E04385DCFBC05DCEE4E6496D2EECFD8E93C9C4E70C2D761A8C0C00DF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:27.320{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73097A16E2906EF903C338ACB2A5D75C,SHA256=D9E33F9B94027BB2FA04FEAD5A669425A0C621EF6D2F03241CCD4284F380AAAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:25.617{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51804-false10.0.1.12-8000- 23542300x800000000000000091226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:27.177{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAC14CEE8797001B9456665D11958DD,SHA256=D21F1B2FD9EA90CDB341A8A9ECF0308FBDBCB805EDC4C4A111E05808ED6FF7E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:24.884{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:28.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DED61AA1BEC2174AF4903C37283678,SHA256=032CCA7D0221B4C78FC5485BE4A1DC00989928B1610C9E6E8F235A14D3F64F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:28.271{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B189B7C32D04E208C40C82BF363C39,SHA256=AB7DAB3FF31629516FB83672925178AF9085BF0B3E34AFF408A43452E5A16DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:29.507{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106A0AEBABBAB367C3022861F706ADB9,SHA256=D17D89469F17CE07A6D41595CB791BD8DB3DD2F9730B363A2A071EC1B38C10EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:29.365{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2E06B1B179A8E14C2584B7C2379AEF,SHA256=5963A318ED02F6250B19042BB3F8E6ECB7E79014E81135041067CB789C03CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:30.601{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2277C84FA93006895DA0FA9F864F5C6C,SHA256=9E8A7AF668D502DD48374C9EC30BAAF218A7A27B72FABD89FB2F028C3DABAC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:30.458{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E034215D638379B99057000F39F550,SHA256=3A09578FE58CA96FA9B5910AF93440B60A93A28F50E18BCC13DDC0DDB27F6B68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:29.884{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000121553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:31.695{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DAC3B3964145A0F80E280E2CAEE989,SHA256=8915BF4BD8F4A82C00990762C770572BDD4D2A82393BE05737EA7CFF1233B8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:31.693{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:31.552{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05313B6D6F221B9910B63E7A774E91FC,SHA256=738008D7E0286931180A5CCECE548D30F253539752BB6C90C4BFCCD457B3C386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:32.788{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AA4132EF35DDB5F01B6379EAD17F00,SHA256=6EF265B030A8E48982647A762CA55C56022BF6778EF9421E214D518B23D73771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:32.646{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C315224D95A952FD5C816BA41103127E,SHA256=1402C22EB58F611DF93EB1E9CE7CD1A54E202DB15E8EDDD1A9026B15E1C9E268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:33.882{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BED1A8BAB4386F11C6D26C3ACA97A54,SHA256=A91BD077633C14D80D54D6F6C52D55B3B43442E2F317FEEC5E1B88815C943D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:33.739{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99020F12770592187E5E57210A961678,SHA256=2741E07129FC7AE1C6A776CBC329284FB1B175E8A323A426BDEB38D7142950A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:30.789{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51805-false10.0.1.12-8000- 23542300x8000000000000000121557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:34.991{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76598E74F9D19379009AF19035C6EDC0,SHA256=25EC7D3CBE7DFCEDE65A47665723F0632E583E112C890F85CF12F3C4B29BB25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:34.833{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F741389E6AC6B0AEC226C3C0AC9CB7D,SHA256=7A60788DABB240C3020603064C12C9222FAA424AE0372AFD424F089E5A4BFB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:31.227{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51806-false10.0.1.12-8089- 23542300x800000000000000091238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:11:35.927{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273FA33215C6A2C8ED2C19FDF4D3147F,SHA256=448D48B2B01BE838D6836EE6DA0E19BE4951C6046D43B56D9A951097C3B4D7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:35.210{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=87B8C744143A5637B09CE5E2B6B0BA8E,SHA256=BE68B6961582657723726274CA07657575BBA99EBFA4E9238CEDCF5523F6B39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:11:36.085{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E651BEB227E4F18DA449050325D5A6EF,SHA256=50E69DAA91B4CA5B7317B4AFED731A6C29A23CFD45BAFCAB8E3E9251626905BE,IMPHASH=00000000000000000000000000000000falsetrue